WordPress.org

Ready to get started?Download WordPress

Meet WordPress

WordPress is open source software you can use to create a beautiful website, blog, or app.

WordCamp EU 2019 in Berlin, Germany

Beautiful designs, powerful features, and the freedom to build anything you want. WordPress is both free and priceless at the same time.

Trusted by the Best

33% of the web uses WordPress, from hobby blogs to the biggest news sites online.

Powerful Features

Limitless possibilities. What will you create?

Extend WordPress with over 54,000 plugins to help your website meet your needs. Add an online store, galleries, mailing lists, forums, analytics, and much more.

Community

Hundreds of thousands of developers, content creators, and site owners gather at monthly meetups in 436 cities worldwide.

Find a local WordPress community

Get Started with WordPress

Over 60 million people have chosen WordPress to power the place on the web they call “home” — join the family.

News From Our Blog

Minimum PHP Version update

WordPress 5.2 is targeted for release at the end of this month, and with it comes an update to the minimum required version of PHP. WordPress will now require a minimum of PHP 5.6.20. Beginning in WordPress 5.1, users running PHP versions below 5.6 have had a notification in their dashboard that includes information to […]

It’s Easy As…

  1. Find a Web Host and get great hosting while supporting WordPress at the same time.
  2. Download & Install WordPress with our famous 5-minute installation. Feel like a rock star.
  3. Read the Documentation and become a WordPress expert yourself, impress your friends.
#####EOF##### WordPress.com: Create a Free Website or Blog
Watch Annette’s story

Build a website, build a movement.

Whatever you want to create, share, or sell, we’ll help you do it right here.

Free to start, with room to grow.

Whether it’s a website, online store, portfolio, or blog, our plans scale with your dreams. All you need is an idea and an internet connection.

Blogger

$3

per month, billed yearly

Best for Bloggers Brand your blog with a custom .blog domain name, and remove all WordPress.com advertising. Receive additional storage space and email support.

Start with Blogger

  • Free .blog Domain for One Year
  • Jetpack Essential Features
  • Email Support
  • Dozens of Free Themes
  • Basic Design Customization
  • 6GB Storage Space
  • Remove WordPress.com Ads

Start with Blogger

Personal

$5

per month, billed yearly

Best for Personal Use Boost your website with a custom domain name, and remove all WordPress.com advertising. Get access to high‑quality email and live chat support.

Start with Personal

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Dozens of Free Themes
  • Basic Design Customization
  • 6GB Storage Space
  • Remove WordPress.com Ads

Start with Personal

Premium

$8

per month, billed yearly

Best for Freelancers Build a unique website with advanced design tools, CSS editing, lots of space for audio and video, and the ability to monetize your site with ads.

Start with Premium

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Unlimited Premium Themes
  • Advanced Design Customization
  • 13GB Storage Space
  • Remove WordPress.com Ads
  • Advanced Social Media
  • Simple Payments
  • Site Monetization
  • VideoPress Support

Start with Premium

Business

$25

per month, billed yearly

Best for Small Businesses Power your business website with unlimited premium and business theme templates, Google Analytics support, unlimited storage, and the ability to remove WordPress.com branding.

Start with Business

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Unlimited Premium Themes
  • Advanced Design Customization
  • Unlimited Storage Space
  • Remove WordPress.com Ads
  • Advanced Social Media
  • Simple Payments
  • Site Monetization
  • VideoPress Support
  • Get Personalized Help
  • SEO Tools
  • Upload Plugins
  • Install Themes
  • Google Analytics Integration
  • Remove WordPress.com Branding

Start with Business

eCommerce

$45

per month, billed yearly

Best for Online Stores Sell products or services with this powerful, all‑in‑one online store experience. This plan includes premium integrations and is extendable, so it’ll grow with you as your business grows.

Start with eCommerce

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Unlimited Premium Themes
  • Advanced Design Customization
  • Unlimited Storage Space
  • Remove WordPress.com Ads
  • Advanced Social Media
  • Simple Payments
  • Site Monetization
  • VideoPress Support
  • Get Personalized Help
  • SEO Tools
  • Upload Plugins
  • Install Themes
  • Google Analytics Integration
  • Remove WordPress.com Branding
  • Accept Payments in 60+ Countries
  • Integrations with Top Shipping Carriers
  • Unlimited Products or Services
  • eCommerce Marketing Tools
  • Premium Customizable Starter Themes

Start with eCommerce

WordPress.com Free

A free WordPress.com site includes a WordPress.com subdomain, community support, dozens of free themes, basic design customization, and more. Start with Free ›

What can you do on WordPress.com?

WordPress.com gives you everything you need to create anything you want. It’s flexible, secure, and powerful, just like you want your business to be.

Build a fan base.
Promote your products, use advanced statistics and SEO tools, and connect with built-in audiences on social media to grow your business.
Open a store.
Process payments, configure taxes and shipping, build a marketing plan—you make the widgets, we’ll make the website.
Start a blog.
Everyone has a point of view. Make your mark online with the world’s greatest blogging tool, and join a community millions strong that’s waiting to hear what you have to say.
Design a portfolio.
Thousands of themes means there’s a layout that’s just right for you, while storage and design options ensure you can upload anything you need to and give your work the stage it deserves.
Getting started is easy.

Engineering happiness.

Our 24/7 support is powered by actual people. We call them Happiness Engineers.

From configuring settings to publishing pages to helping you pick the perfect design, they’re all ears, all smiles, and all human. Happiness Engineers also work all around the world—and around the clock, so there’s always someone there when you need them.

MORE THAN 300 Humans
AVAILABLE 24/7 Instantly

You’re in good company.

People all over the world are doing all sorts of amazing things on WordPress.

Watch Annette’s story

An innovative New York City hair salon.

I looked into what other bloggers whom I admired were using, and the Cadillac of platforms is WordPress.com, hands down. The themes are breathtaking — even the free ones! — and all of the supporting infrastructure and information is top shelf.
Alexis Kanda-Olmstead
alexiskanda-olmstead.com
WordPress.com works really well with Google for a great SEO ranking. I can also embed YouTube videos, Google Maps, and other content easily and without any coding ability.
Quintin Lake
theperimeter.uk

You can. You will. We’ll help.

Invent the world’s greatest cat food, save a rainforest, start a needlepoint club. Whatever it is, it’s going to need a website — that’s where we come in.

#####EOF##### WordPress.com: Create a Free Website or Blog
Watch Annette’s story

Build a website, build a movement.

Whatever you want to create, share, or sell, we’ll help you do it right here.

Free to start, with room to grow.

Whether it’s a website, online store, portfolio, or blog, our plans scale with your dreams. All you need is an idea and an internet connection.

Blogger

$3

per month, billed yearly

Best for Bloggers Brand your blog with a custom .blog domain name, and remove all WordPress.com advertising. Receive additional storage space and email support.

Start with Blogger

  • Free .blog Domain for One Year
  • Jetpack Essential Features
  • Email Support
  • Dozens of Free Themes
  • Basic Design Customization
  • 6GB Storage Space
  • Remove WordPress.com Ads

Start with Blogger

Personal

$5

per month, billed yearly

Best for Personal Use Boost your website with a custom domain name, and remove all WordPress.com advertising. Get access to high‑quality email and live chat support.

Start with Personal

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Dozens of Free Themes
  • Basic Design Customization
  • 6GB Storage Space
  • Remove WordPress.com Ads

Start with Personal

Premium

$8

per month, billed yearly

Best for Freelancers Build a unique website with advanced design tools, CSS editing, lots of space for audio and video, and the ability to monetize your site with ads.

Start with Premium

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Unlimited Premium Themes
  • Advanced Design Customization
  • 13GB Storage Space
  • Remove WordPress.com Ads
  • Advanced Social Media
  • Simple Payments
  • Site Monetization
  • VideoPress Support

Start with Premium

Business

$25

per month, billed yearly

Best for Small Businesses Power your business website with unlimited premium and business theme templates, Google Analytics support, unlimited storage, and the ability to remove WordPress.com branding.

Start with Business

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Unlimited Premium Themes
  • Advanced Design Customization
  • Unlimited Storage Space
  • Remove WordPress.com Ads
  • Advanced Social Media
  • Simple Payments
  • Site Monetization
  • VideoPress Support
  • Get Personalized Help
  • SEO Tools
  • Upload Plugins
  • Install Themes
  • Google Analytics Integration
  • Remove WordPress.com Branding

Start with Business

eCommerce

$45

per month, billed yearly

Best for Online Stores Sell products or services with this powerful, all‑in‑one online store experience. This plan includes premium integrations and is extendable, so it’ll grow with you as your business grows.

Start with eCommerce

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Unlimited Premium Themes
  • Advanced Design Customization
  • Unlimited Storage Space
  • Remove WordPress.com Ads
  • Advanced Social Media
  • Simple Payments
  • Site Monetization
  • VideoPress Support
  • Get Personalized Help
  • SEO Tools
  • Upload Plugins
  • Install Themes
  • Google Analytics Integration
  • Remove WordPress.com Branding
  • Accept Payments in 60+ Countries
  • Integrations with Top Shipping Carriers
  • Unlimited Products or Services
  • eCommerce Marketing Tools
  • Premium Customizable Starter Themes

Start with eCommerce

WordPress.com Free

A free WordPress.com site includes a WordPress.com subdomain, community support, dozens of free themes, basic design customization, and more. Start with Free ›

What can you do on WordPress.com?

WordPress.com gives you everything you need to create anything you want. It’s flexible, secure, and powerful, just like you want your business to be.

Build a fan base.
Promote your products, use advanced statistics and SEO tools, and connect with built-in audiences on social media to grow your business.
Open a store.
Process payments, configure taxes and shipping, build a marketing plan—you make the widgets, we’ll make the website.
Start a blog.
Everyone has a point of view. Make your mark online with the world’s greatest blogging tool, and join a community millions strong that’s waiting to hear what you have to say.
Design a portfolio.
Thousands of themes means there’s a layout that’s just right for you, while storage and design options ensure you can upload anything you need to and give your work the stage it deserves.
Getting started is easy.

Engineering happiness.

Our 24/7 support is powered by actual people. We call them Happiness Engineers.

From configuring settings to publishing pages to helping you pick the perfect design, they’re all ears, all smiles, and all human. Happiness Engineers also work all around the world—and around the clock, so there’s always someone there when you need them.

MORE THAN 300 Humans
AVAILABLE 24/7 Instantly

You’re in good company.

People all over the world are doing all sorts of amazing things on WordPress.

Watch Annette’s story

An innovative New York City hair salon.

I looked into what other bloggers whom I admired were using, and the Cadillac of platforms is WordPress.com, hands down. The themes are breathtaking — even the free ones! — and all of the supporting infrastructure and information is top shelf.
Alexis Kanda-Olmstead
alexiskanda-olmstead.com
WordPress.com works really well with Google for a great SEO ranking. I can also embed YouTube videos, Google Maps, and other content easily and without any coding ability.
Quintin Lake
theperimeter.uk

You can. You will. We’ll help.

Invent the world’s greatest cat food, save a rainforest, start a needlepoint club. Whatever it is, it’s going to need a website — that’s where we come in.

#####EOF##### The WordPress.com Blog

WordPress.com’s Parent Company Announces Happy Tools, a New Suite of Products for the Future of Work

Happy Schedule, our first offering, will help distributed teams manage employee schedules and customer support.

Want to start a blogging habit or set up a business website?
Get step-by-step guidance from WordPress.com pros, right in your inbox. Our email courses are free to all and there are no prerequisites.

Visit Blogging University

Create your new blog or website for free

Get Started

#####EOF##### About Us: Our Mission | WordPress.org

WordPress.org

Democratize Publishing

The freedom to build. The freedom to change. The freedom to share.

Our Mission

WordPress is software designed for everyone, emphasizing accessibility, performance, security, and ease of use. We believe great software should work with minimum set up, so you can focus on sharing your story, product, or services freely. The basic WordPress software is simple and predictable so you can easily get started. It also offers powerful features for growth and success.

We believe in democratizing publishing and the freedoms that come with open source. Supporting this idea is a large community of people collaborating on and contributing to this project. The WordPress community is welcoming and inclusive. Our contributors’ passion drives the success of WordPress which, in turn, helps you reach your goals.

WordPress contributors work around the globe, and have dedicated countless hours to build a tool that democratizes publishing. WordPress is open source software that is both free and priceless.

The Technology

Learn about WordPress, where it’s been, and where it’s going.

The Details

There’s so much in the details. Stay abreast with the particulars.

The People

Learn about the community and how we get along.

Our Story

WordPress started in 2003 when Mike Little and Matt Mullenweg created a fork of b2/cafelog. The need for an elegant, well-architected personal publishing system was clear even then. Today, WordPress is built on PHP and MySQL, and licensed under the GPLv2. It is also the platform of choice for over 33% of all sites across the web.

The WordPress open source project has evolved in progressive ways over time — supported by skilled, enthusiastic developers, designers, scientists, bloggers, and more. WordPress provides the opportunity for anyone to create and share, from handcrafted personal anecdotes to world-changing movements. People with a limited tech experience can use it “out of the box”, and more tech-savvy folks can customize it in remarkable ways.

Bill of Rights

WordPress is licensed under the General Public License (GPLv2 or later) which provides four core freedoms. Consider this the WordPress Bill of Rights:

The 1st Freedom

To run the program for any purpose.

The 2nd Freedom

To study how the program works and change it to make it do what you wish.

The 3rd Freedom

To redistribute.

The 4th Freedom

To distribute copies of your modified versions to others.

Skip to toolbar
#####EOF##### WordPress Developer Resources | Official WordPress Developer Resources
Skip to content

Code Reference

Looking for documentation for the codebase?

Visit the reference

Themes

Want to learn how to start theming WordPress?

Develop Themes

Plugins

Ready to dive deep into the world of plugin authoring?

Develop Plugins

REST API

Getting started on making WordPress applications?

Make Applications

WP-CLI

Want to accelerate your workflow managing WordPress?

Run Commands

Block Editor

Creating the building blocks of WordPress?

Coming Soon

Skip to toolbar
#####EOF##### WordPress.com
#####EOF##### The Best WordPress Sites in the World | WordPress.org

WordPress Website Showcase

The City University of New York

www2.cuny.edu

The City University of New York (CUNY) is the public university system of New York City, and the largest urban university in the United States.

Learn More →

The Obama Foundation

www.obama.org

The Obama Foundation was established in January 2014 to “carry on the great, unfinished project of renewal and global progress.” In the near future, the Foundation will oversee the design and construction of the Obama Presidential Center.

Learn More →

The Village Voice

www.villagevoice.com

The Village Voice was founded by Dan Wolf, Ed Fancher, and Norman Mailer in 1955 as “the nation’s first alternative newsweekly.” Winner of three Pulitzer Prizes, the Village Voice introduced free-form, high-spirited, and passionate journalism into the public discourse.

Learn More →

Ogilvy & Mather South Africa

www.ogilvy.co.za

The corporate website for legendary advertising agency Ogilvy & Mather in South Africa. Ogilvy & Mather South Africa’s origins lie with a small hot shop in Cape Town, founded by Bob Rightford, Brian Searle-Tripp and Roger Makin in 1976.

Learn More →

The National Puerto Rican Day Parade

www.nprdpinc.org

The National Puerto Rican Day Parade in NYC is the largest parade in the country.

Learn More →

Angry Birds

www.angrybirds.com

Rovio took the world by storm in 2009 with Angry Birds, an international mobile game phenomenon that quickly became the most downloaded game of all time. Over the years, Angry Birds has seen rapid growth and evolved into an entertainment…

Learn More →

Vogue India

www.vogue.in

Vogue.in is the Indian edition of internationally known brand, bringing you the best of global and Indian fashion, beauty, people, parties and culture.

Learn More →

thisisFINLAND

finland.fi

thisisFINLAND forms an attractive window on Finland for everyone interested in our country, its culture and its people. Produced by the Ministry for Foreign Affairs of Finland and published by the Finland Promotion Board, thisisFINLAND was originally established in 1995…

Learn More →

Canada.com

o.canada.com

Canada.com, featuring discussions about what Canadians are talking about, is owned and operated by Postmedia Network Inc., Canada’s largest publisher by circulation of paid English-language daily newspapers. canada.com complements Postmedia’s other properties including daily newspapers in cities across Canada like…

Learn More →

Featured Business Sites

Recently Added Sites

View All Showcase Sites →
#####EOF##### Blog Tool, Publishing Platform, and CMS — WordPress
Ready to get started?Download WordPress

Meet WordPress

WordPress is open source software you can use to create a beautiful website, blog, or app.

WordCamp EU 2019 in Berlin, Germany

Beautiful designs, powerful features, and the freedom to build anything you want. WordPress is both free and priceless at the same time.

Trusted by the Best

33% of the web uses WordPress, from hobby blogs to the biggest news sites online.

Powerful Features

Limitless possibilities. What will you create?

  • Customizable
    Designs
  • SEO
    Friendly
  • Responsive
    Mobile Sites
  • High
    Performance
  • Manage
    on the Go
  • High
    Security
  • Powerful
    Media Management
  • Easy and
    Accessible

Extend WordPress with over 54,000 plugins to help your website meet your needs. Add an online store, galleries, mailing lists, forums, analytics, and much more.

Community

Hundreds of thousands of developers, content creators, and site owners gather at monthly meetups in 436 cities worldwide.

Find a local WordPress community

Get Started with WordPress

Over 60 million people have chosen WordPress to power the place on the web they call “home” — join the family.

News From Our Blog

Minimum PHP Version update

WordPress 5.2 is targeted for release at the end of this month, and with it comes an update to the minimum required version of PHP. WordPress will now require a minimum of PHP 5.6.20. Beginning in WordPress 5.1, users running PHP versions below 5.6 have had a notification in their dashboard that includes information to […]

It’s Easy As…

  1. Find a Web Host and get great hosting while supporting WordPress at the same time.
  2. Download & Install WordPress with our famous 5-minute installation. Feel like a rock star.
  3. Read the Documentation and become a WordPress expert yourself, impress your friends.
#####EOF##### WordPress.com
#####EOF##### Features to help you publish anything, anywhere

Features to help you publish anything, anywhere.

  • Choose a plan that works for you
  • Customize as much or as little as you want
  • Get help when you need it
  • Tell your story
Get Started

Get Started

  1. Create a robust website

    … or a blog, or a combination of both. Personal blog, portfolio, business site — it’s up to you.

  2. Plans for any budget

    Start for free. Upgrade for advanced customization, security, and SEO tools. Or stay free!

  3. Custom domains

    Add a custom domain to carve out your own space on the web, and manage it right from WordPress.com.

You’re in good company

Over 30% of the web runs on WordPress. WordPress.com is home to everyone from brand new bloggers and entrepreneurs, to major brands like TIME, TED, and Spotify.

Realize your vision

Dozens of themes

Choose from hundreds of customizable themes, with new additions weekly.

Mobile-friendly

Create a mobile-friendly site with a click, or choose from a selection of responsive themes that look great everywhere.

Fast, friendly support

Get expert help — our team of Happiness Engineers is standing by.

Help when you want it

Support is available 24/7 via email and our community forums. For folks with a paid plan, Happiness Engineers are available via live chat for real-time assistance.

Tell your story

Write without worry

Our editor is fast, intuitive, and saves your work every few seconds, so you never miss a word.

Upload or embed media

Drag-and-drop images into posts and pages. Create designer-worthy photo galleries. Embed audio, video, and more.

Mobile and desktop apps

Update your site from anywhere with mobile and desktop apps for iOS, Android, Mac, Windows, and Linux systems.

Own your content

Whatever you create on WordPress.com is yours to keep. Export your content at any time — wherever life takes you, your content follows.

Find your fans

  1. Built-in social sharing

    Automatically send new posts to Twitter, Facebook, and more, and add social tools to help readers share.

  2. In-depth stats

    Learn more about your visitors — where they’re from, what they read, when they visit — with rich stats.

  3. Search engine optimized

    Make it easy for new fans to find you with built-in sitemaps and other SEO tools. All you have to do is publish.

The biggest community of online publishers

WordPress.com has millions of users. The WordPress.com Reader helps them find you — and lets you find fascinating new reads.

Create a feature-rich blog or website today

Get Started
#####EOF##### WordPress Developer Resources | Official WordPress Developer Resources
Skip to content

Code Reference

Looking for documentation for the codebase?

Visit the reference

Themes

Want to learn how to start theming WordPress?

Develop Themes

Plugins

Ready to dive deep into the world of plugin authoring?

Develop Plugins

REST API

Getting started on making WordPress applications?

Make Applications

WP-CLI

Want to accelerate your workflow managing WordPress?

Run Commands

Block Editor

Creating the building blocks of WordPress?

Coming Soon

Skip to toolbar
#####EOF##### WordPress.com
#####EOF##### Enterprise WordPress hosting, support, and consulting – WordPress VIP – Our best-in-class enterprise WordPress hosting platform, expert consulting and support, and diverse partner ecosystem free you to focus on your business objectives.

We support your applications as if they were our own.

We review every line of code and closely vet technical integrations. Our clients tell us that the standards we introduce bring confidence and creative freedom to their developers, trust to leadership, and efficiency and order to their pipelines.

“In the past, if a website wasn’t meeting its goals, the marketing campaign would be over before the team was able to make any improvements. Now, changes like this happen instantly. It’s a new world for us.”

— Ryan Pugatch, HBG

“Working with WordPress.com VIP allows our team to focus on building awesome stuff”

— David Parsons, USA Today
USA Today logo

You’re in good company.

We have the pleasure of working with clients representing the best of the best in media, marketing, and more.

A complete solution for digital publishing.

Top-notch enterprise WordPress hosting, support, and guidance. Ready models, processes, and plugins to deliver your business goals. Deep, extensible capabilities. Diverse technology partnerships. Vast developer ecosystem.

Highly available and robust APIs

Connect WordPress to all kinds of systems and processes, including mobile apps and decoupled front ends. The possibilities are endless.

Backwards compatibility and forward flexibility

Free your pipeline from maintenance updates and releases, and never worry again about what version you’re running.

The power of open source

Avoid vendor lock-in, enjoy the transparency of a public roadmap, take advantage of the knowledge base in the enterprise user community, and join a massive ecosystem.

Total cost of ownership

Savings from licensing fees, flat-rate traffic pricing, included code review, and our managed hosting and support services all reduce CapEx and OpEx burdens when compared with other solutions.

A different kind of partnership

Do business at human scale, with a team of people who won’t disappear after the contract is signed, and who are personally invested in your success. We’re proud to be considered pioneers of an open, globally distributed, agile way of working.

Freedom to focus

Whether you're seeking end-to-end guidance or just rock-solid WordPress hosting and support, we've got you covered. Put your resources against their highest value efforts. Leave the upgrades, performance, security, and scale to us.

Ready to get started?

Drop us a note.

No matter where you are in the planning process, we’re happy to help, and we’re actual humans here on the other side of the form. 👋 We’re here to discuss your challenges and plans, evaluate your existing resources or a potential partner, or even make some initial recommendations. And, of course, we’re here to help any time you’re in the market for some robust WordPress awesomeness.

#####EOF##### Support — WordPress.com

Need Help?

Start

Build the site of your dreams with WordPress.com. Learn about our best features, and how to get started.

Let's Go

Create

Write, click, publish, and revel. Your words can be read by anyone in the world. Isn't that exciting?

Show Me How

Customize

Find the perfect theme for your site and make it your own with widgets, menus, and custom design.

Make It Mine

Connect

Share your work with the world through Facebook, Twitter, and other social networks.

Get Connected

We care about your happiness!

They don't call us Happiness Engineers for nothing. If you need help, don't sweat it. We're here for you!

Get Help
#####EOF##### WordPress.com
#####EOF##### The WordPress.com Blog

WordPress.com’s Parent Company Announces Happy Tools, a New Suite of Products for the Future of Work

Happy Schedule, our first offering, will help distributed teams manage employee schedules and customer support.

Want to start a blogging habit or set up a business website?
Get step-by-step guidance from WordPress.com pros, right in your inbox. Our email courses are free to all and there are no prerequisites.

Visit Blogging University

Create your new blog or website for free

Get Started

#####EOF##### Create a Blog with WordPress.com

Create your blog and share your voice in minutes.

WordPress.com makes it easy for you to start your own blog. Sign up for free to start sharing your ideas.

Customize your domain name

http://

infocusphotographers.com

cortadocoffeesf.com

leahrand.com

avayoung.blog

mightyleaftearoom.com

Register a new domain
Register a domain for your site to make it easier to remember and easier to share.
Bring your own domain
Already have a domain name? Point it to your WordPress.com website in a few easy steps.
Connect your email
Use your custom domain in your email address by activating email forwarding, G Suite, or other email services.

Every feature you need to create a powerful blog

Optimized for growth
WordPress.com has built-in SEO, social media integration, and sharing features. Plug into our high-traffic network and reach new readers.
All-in-one hosting
Enjoy website design, domain registration, hassle-free automatic software updates, and secure hosting on servers spread across multiple data centers.
Help when you want it
Our Happiness Engineers work night and day through live chat, email, support pages, videos, and forums to answer any questions you have.
Designed for success
Start with a modern site design and customize it with your branding, content, and features. All Premium blogs include custom CSS.
Powerful statistics
Keep your finger on the pulse of your blog’s activity with website statistics. Colorful charts and graphs help you understand what your readers like and how they found you.
Mobile ready
With our responsive themes and mobile and desktop apps, you’ll enjoy a seamless experience on any device and so will your blog visitors.

Outstanding design

Find a unique style for your site: WordPress.com features hundreds of high–quality designs. You don’t need to learn web design to create the blog of your dreams.
Spatial
Dyad
Perle
Marquee
Publication
Goodz
Illustrar

People love WordPress.com logo.

It’s been a great privilege and a life-changing experience. I’m grateful to WordPress.com for providing an affordable and user-friendly platform for individuals to launch projects and be heard in this way.
Ann Morgan
ayearofreadingtheworld.com
I looked into what other bloggers whom I admired were using, and the Cadillac of platforms is WordPress.com, hands down. The themes are breathtaking — even the free ones! — and all of the supporting infrastructure and information is top shelf.
Alexis Kanda-Olmstead
alexiskanda-olmstead.com

Choose your plan

Personal

WordPress.com personal
$4

per month, billed yearly

Best for Personal Use: Boost your website with a custom domain name, and remove all WordPress.com advertising. Get access to high quality email and live chat support.

Start with Personal

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Dozens of Free Themes
  • Basic Design Customization
  • 6GB Storage Space
  • Remove WordPress.com Ads

Start with Personal

Premium

WordPress.com Premium
$8

per month, billed yearly

Best for Entrepreneurs & Freelancers: Build a unique website with advanced design tools, CSS editing, lots of space for audio and video, and the ability to monetize your site with ads.

Start with Premium

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Unlimited Premium Themes
  • Advanced Design Customization
  • 13GB Storage Space
  • Remove WordPress.com Ads
  • Simple Payments
  • Monetize your site
  • VideoPress support

Start with Premium

Business

WordPress.com Business
$25

per month, billed yearly

Best for Small Business: Power your business website with unlimited premium and business theme templates, Google Analytics support, unlimited storage, and the ability to remove WordPress.com branding.

Start with Business

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Unlimited Premium Themes
  • Advanced Design Customization
  • Unlimited Storage Space
  • Remove WordPress.com Ads
  • Simple Payments
  • Monetize your site
  • VideoPress support
  • Jetpack Search
  • Attend live courses
  • SEO Tools
  • Install Plugins NEW
  • Upload themes NEW
  • Google Analytics Integration
  • Remove WordPress.com Branding

Start with Business

You asked, we answered

You can pay for your brand new WordPress.com plan, add-ons, and domains in the Store checkout using any major credit card, debit card, or PayPal.
Plans and domains renew annually and we take care of everything. We charge your account one month before the end of the subscription period. If your payment information needs updating, we’ll let you know.
Purchases made on WordPress.com can be canceled and refunded during the refund period. You can also unsubscribe at any time if you don’t want your subscription to renew.
On WordPress.com, we provide e-mail forwarding, but if you’d rather have full email hosting, you can connect another provider to your custom domain.
Absolutely. You can change your blog language, which is how your readers will experience your site and the Interface Language, which changes the admin tools language. The language you use on your blog is up to you!
Yes! You can sell individual items on your blog using your PayPal account and a button directing your readers to the PayPal payment screen. You can also publish sponsored posts or use affiliate links in your content, and apply to join WordAds, our advertising program.
Premium themes are paid themes with exciting options for customization and exclusive support from theme authors themselves. Choose the Premium Plan or Business Plan for unlimited Premium Themes.
It is possible to import your blog content from a variety of other blogging platforms, including Blogger, LiveJournal, Movable Type, Tumblr, Typepad, Xanga, and more. You can also easily import your content from a self-hosted WordPress site.

Our users love WordPress.com

WordPress is simply awesome. With lots of features and elegant themes to choose from, it leads the blogging front.

—Chandan Sinha

I absolutely love the WordPress community of fellow bloggers you can learn and share with. Anyone can get started very easily.

—Naureen

Start your blogging adventure today

#####EOF##### Get Involved — WordPress

WordPress.org

Make WordPress

WordPress Community Summit 2017

Whether you’re a budding developer, a designer, or just like helping out, we’re always looking for people to help make WordPress even better.

If you want to get involved in WordPress, this is the place to be. We’ve got blogs for each contributor group, general news, and upcoming events.

There are many different ways for you to get involved with WordPress:

Core

The core team makes WordPress. Whether you’re a seasoned PHP developer or are just learning to code, we’d love to have you on board. You can write code, fix bugs, debate decisions, and help with development.

Learn more about Core »

Weekly chats: Wednesdays @ 21:00 UTC

#core on Slack

Design

The design group is focused on the designing and developing the user interface. It’s a home for designers and UXers alike. There are regular discussions about mockups, design, and user testing.

Learn more about Design »

Weekly chats: Wednesdays @ 19:00 UTC

#design on Slack

Mobile

The mobile team builds the iOS and Android apps. Lend them your Java, Objective-C, or Swift skills. The team also needs designers, UX experts, and testers to give users an smooth experience on every device.

Learn more about Mobile »

Accessibility

The a11y group provides accessibility expertise across the project. They make sure that WordPress core and all of WordPress’ resources are accessible.

Learn more about Accessibility »

Weekly chats: Fridays @ 15:00 UTC

#accessibility on Slack

Polyglots

WordPress is used all over the world and in many different languages. If you’re a polyglot, help out by translating WordPress into your own language. You can also assist with creating the tools that make translations easier.

Learn more about Polyglots »

Weekly chats: Wednesdays @ 10:00 UTC

#polyglots on Slack

Support

Answering a question in the support forums or IRC is one of the easiest ways to start contributing. Everyone knows the answer to something! This blog is the place for discussion of issues around support.

Learn more about Support »

Weekly chats: Thursdays @ 17:00 UTC

#forums on Slack

Documentation

Good documentation lets people help themselves when they get stuck. The docs team is responsible for creating documentation and is always on the look-out for writers. The blog has discussion around the team’s current projects.

Learn more about Documentation »

Weekly chats: Thursdays @ 18:00 UTC

#docs on Slack

Themes

The Theme Review Team reviews and approves every Theme submitted to the WordPress Theme repository. Reviewing Themes sharpens your own Theme development skills. You can help out and join the discussion on the blog.

Learn more about Themes »

Weekly chats: Tuesdays @ 18:00 UTC

#themereview on Slack

Plugins

If you are a Plugin developer, subscribe to the Plugin review team blog to keep up with the latest updates, find resources, and learn about any issues around Plugin development.

Learn more about Plugins »

Community

If you’re interested in organizing a meetup or a WordCamp, the community blog is a great place to get started. There are groups working to support events, to create outreach and training programs, and generally support the community.

Learn more about Community »

Meta

The Meta team makes WordPress.org, provides support, and builds tools for use by all the contributor groups. If you want to help make WordPress.org better, sign up for updates from the Meta blog.

Learn more about Meta »

Training

The training team creates downloadable lesson plans and related materials for instructors to use in a live workshop environment. If you enjoy teaching people how to use and build stuff for WordPress, immediately stop what you’re doing and join our team!

Learn more about Training »

Weekly chats: Thursdays @ 19:30 UTC

#training on Slack

Test

The Test team patrols flow across the entire WordPress ecosystem on every device we have at hand. We test, document, and report on the WordPress user experience. Through continuous dogfooding and visual records, we understand not only what is wrong, but also what is right. We immerse ourselves in the context of what we are making and champion user experience.

Learn more about Test »

TV

The TV team reviews and approves every video submitted to WordPress.tv. They also help WordCamps with video post-production and are responsible for the captioning and subtitling of published videos. Reviewing videos is a great way to learn about WordPress and help the community: experience is not required to get involved.

Learn more about TV »

Weekly chats: Thursdays @ 17:00 UTC

#wptv on Slack

Marketing

Our vision for the Marketing Team is to be the go-to resource for strategy and content for other WordPress teams.

Learn more about Marketing »

Weekly chats: Wednesdays @ 15:00 UTC

#marketing on Slack

CLI

WP-CLI is the official command line tool for interacting with and managing your WordPress sites.

Learn more about CLI »

Weekly chats: Tuesdays @ 1600 UTC

#cli on Slack

Hosting

We collaborate here on best hosting practices and tools for the community. If you have experience hosting WordPress, we’d love to have you join us!

Learn more about Hosting »

Weekly chats: Wednesdays @ 18:00 UTC

#hosting-community on Slack

Tide

Tide is a series of automated tests run against every plugin and theme in the directory and then displays PHP compatibility and test errors/warnings in the directory.

Learn more about Tide »

Weekly chats: Tuesdays @ 2200 UTC

#tide on Slack

Skip to toolbar
#####EOF##### WordPress Mobile Apps | WordPress.org

WordPress.org

WordPress Mobile Apps

Devices showing the WordPress mobile app Inspiration strikes any time, anywhere. WordPress mobile apps put the power of publishing in your hands, making it easy to create and consume content. Write, edit, and publish posts to your site, check stats, and get inspired with great posts in the Reader. And of course, they’re open source, just like WordPress.

Get a Mobile App

WordPress mobile apps support WordPress.com and self-hosted WordPress.org sites running WordPress 4.0 or higher. Learn more

#####EOF##### Features to help you publish anything, anywhere

Features to help you publish anything, anywhere.

  • Choose a plan that works for you
  • Customize as much or as little as you want
  • Get help when you need it
  • Tell your story
Get Started

Get Started

  1. Create a robust website

    … or a blog, or a combination of both. Personal blog, portfolio, business site — it’s up to you.

  2. Plans for any budget

    Start for free. Upgrade for advanced customization, security, and SEO tools. Or stay free!

  3. Custom domains

    Add a custom domain to carve out your own space on the web, and manage it right from WordPress.com.

You’re in good company

Over 30% of the web runs on WordPress. WordPress.com is home to everyone from brand new bloggers and entrepreneurs, to major brands like TIME, TED, and Spotify.

Realize your vision

Dozens of themes

Choose from hundreds of customizable themes, with new additions weekly.

Mobile-friendly

Create a mobile-friendly site with a click, or choose from a selection of responsive themes that look great everywhere.

Fast, friendly support

Get expert help — our team of Happiness Engineers is standing by.

Help when you want it

Support is available 24/7 via email and our community forums. For folks with a paid plan, Happiness Engineers are available via live chat for real-time assistance.

Tell your story

Write without worry

Our editor is fast, intuitive, and saves your work every few seconds, so you never miss a word.

Upload or embed media

Drag-and-drop images into posts and pages. Create designer-worthy photo galleries. Embed audio, video, and more.

Mobile and desktop apps

Update your site from anywhere with mobile and desktop apps for iOS, Android, Mac, Windows, and Linux systems.

Own your content

Whatever you create on WordPress.com is yours to keep. Export your content at any time — wherever life takes you, your content follows.

Find your fans

  1. Built-in social sharing

    Automatically send new posts to Twitter, Facebook, and more, and add social tools to help readers share.

  2. In-depth stats

    Learn more about your visitors — where they’re from, what they read, when they visit — with rich stats.

  3. Search engine optimized

    Make it easy for new fans to find you with built-in sitemaps and other SEO tools. All you have to do is publish.

The biggest community of online publishers

WordPress.com has millions of users. The WordPress.com Reader helps them find you — and lets you find fascinating new reads.

Create a feature-rich blog or website today

Get Started
#####EOF##### WordPress.com: Create a Free Website or Blog
Watch Annette’s story

Build a website, build a movement.

Whatever you want to create, share, or sell, we’ll help you do it right here.

Free to start, with room to grow.

Whether it’s a website, online store, portfolio, or blog, our plans scale with your dreams. All you need is an idea and an internet connection.

Blogger

$3

per month, billed yearly

Best for Bloggers Brand your blog with a custom .blog domain name, and remove all WordPress.com advertising. Receive additional storage space and email support.

Start with Blogger

  • Free .blog Domain for One Year
  • Jetpack Essential Features
  • Email Support
  • Dozens of Free Themes
  • Basic Design Customization
  • 6GB Storage Space
  • Remove WordPress.com Ads

Start with Blogger

Personal

$5

per month, billed yearly

Best for Personal Use Boost your website with a custom domain name, and remove all WordPress.com advertising. Get access to high‑quality email and live chat support.

Start with Personal

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Dozens of Free Themes
  • Basic Design Customization
  • 6GB Storage Space
  • Remove WordPress.com Ads

Start with Personal

Premium

$8

per month, billed yearly

Best for Freelancers Build a unique website with advanced design tools, CSS editing, lots of space for audio and video, and the ability to monetize your site with ads.

Start with Premium

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Unlimited Premium Themes
  • Advanced Design Customization
  • 13GB Storage Space
  • Remove WordPress.com Ads
  • Advanced Social Media
  • Simple Payments
  • Site Monetization
  • VideoPress Support

Start with Premium

Business

$25

per month, billed yearly

Best for Small Businesses Power your business website with unlimited premium and business theme templates, Google Analytics support, unlimited storage, and the ability to remove WordPress.com branding.

Start with Business

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Unlimited Premium Themes
  • Advanced Design Customization
  • Unlimited Storage Space
  • Remove WordPress.com Ads
  • Advanced Social Media
  • Simple Payments
  • Site Monetization
  • VideoPress Support
  • Get Personalized Help
  • SEO Tools
  • Upload Plugins
  • Install Themes
  • Google Analytics Integration
  • Remove WordPress.com Branding

Start with Business

eCommerce

$45

per month, billed yearly

Best for Online Stores Sell products or services with this powerful, all‑in‑one online store experience. This plan includes premium integrations and is extendable, so it’ll grow with you as your business grows.

Start with eCommerce

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Unlimited Premium Themes
  • Advanced Design Customization
  • Unlimited Storage Space
  • Remove WordPress.com Ads
  • Advanced Social Media
  • Simple Payments
  • Site Monetization
  • VideoPress Support
  • Get Personalized Help
  • SEO Tools
  • Upload Plugins
  • Install Themes
  • Google Analytics Integration
  • Remove WordPress.com Branding
  • Accept Payments in 60+ Countries
  • Integrations with Top Shipping Carriers
  • Unlimited Products or Services
  • eCommerce Marketing Tools
  • Premium Customizable Starter Themes

Start with eCommerce

WordPress.com Free

A free WordPress.com site includes a WordPress.com subdomain, community support, dozens of free themes, basic design customization, and more. Start with Free ›

What can you do on WordPress.com?

WordPress.com gives you everything you need to create anything you want. It’s flexible, secure, and powerful, just like you want your business to be.

Build a fan base.
Promote your products, use advanced statistics and SEO tools, and connect with built-in audiences on social media to grow your business.
Open a store.
Process payments, configure taxes and shipping, build a marketing plan—you make the widgets, we’ll make the website.
Start a blog.
Everyone has a point of view. Make your mark online with the world’s greatest blogging tool, and join a community millions strong that’s waiting to hear what you have to say.
Design a portfolio.
Thousands of themes means there’s a layout that’s just right for you, while storage and design options ensure you can upload anything you need to and give your work the stage it deserves.
Getting started is easy.

Engineering happiness.

Our 24/7 support is powered by actual people. We call them Happiness Engineers.

From configuring settings to publishing pages to helping you pick the perfect design, they’re all ears, all smiles, and all human. Happiness Engineers also work all around the world—and around the clock, so there’s always someone there when you need them.

MORE THAN 300 Humans
AVAILABLE 24/7 Instantly

You’re in good company.

People all over the world are doing all sorts of amazing things on WordPress.

Watch Annette’s story

An innovative New York City hair salon.

I looked into what other bloggers whom I admired were using, and the Cadillac of platforms is WordPress.com, hands down. The themes are breathtaking — even the free ones! — and all of the supporting infrastructure and information is top shelf.
Alexis Kanda-Olmstead
alexiskanda-olmstead.com
WordPress.com works really well with Google for a great SEO ranking. I can also embed YouTube videos, Google Maps, and other content easily and without any coding ability.
Quintin Lake
theperimeter.uk

You can. You will. We’ll help.

Invent the world’s greatest cat food, save a rainforest, start a needlepoint club. Whatever it is, it’s going to need a website — that’s where we come in.

#####EOF##### 44CON CYBER SECURITY 2016 – 44CON
#####EOF##### The WordPress.com Blog

WordPress.com’s Parent Company Announces Happy Tools, a New Suite of Products for the Future of Work

Happy Schedule, our first offering, will help distributed teams manage employee schedules and customer support.

Want to start a blogging habit or set up a business website?
Get step-by-step guidance from WordPress.com pros, right in your inbox. Our email courses are free to all and there are no prerequisites.

Visit Blogging University

Create your new blog or website for free

Get Started

#####EOF##### Support | WordPress.org

WordPress.org

Basic Usage

Write and edit posts and pages with your text, images and other media.

Customizing

Find the right themes, plugins, widgets to make your site match your needs.

Maintenance

Backup, PHP versions, streamlining or even automating your regular tasks.

Advanced Topics

WordPress is very flexible and versatile. Here are some examples of what you can do, just to get your imagination started.

Troubleshooting

Is anything wrong? Did you get hacked? First: continue to breathe. Next, have a look at these resources


Skip to toolbar
#####EOF##### Terms of Service — WordPress.com

Terms of Service

The Gist

We (the folks at Automattic) are on a mission to make the web a better place. We hope you love our products and services — from website publishing tools to ecommerce solutions to security backup systems to management tools for global companies to the next great idea that we haven’t even thought of yet — as much as we love creating them.

These Terms of Service (“Terms”) describe our commitments to you, and your rights and responsibilities when using our services. Please read them carefully and reach out to us if you have any questions.

We’ve decided to make these Terms available under a Creative Commons Sharealike license. You can grab a copy of these Terms and other legal documents on Github. You’re more than welcome to copy them, adapt them, and repurpose them for your own use. Just make sure to revise the language so that your Terms reflect your actual practices. Also, if you do use these Terms, we’d appreciate a credit and link to Automattic somewhere on your website.

Terms of Service

These Terms govern your access to and use of WordPress.com, Jetpack.com, VaultPress.com, and Happy.Tools, as well as all content and Automattic products and services (for example, ecommerce services as outlined below in Section 7e) available at or though these websites (collectively, “Services”).

These Terms also govern visitors’ access to and use of any websites that use our Services, such as websites hosted on WordPress.com that are operated by our users.
For some of Automattic’s other products and services, such as WooCommerce, Akismet, CrowdSignal, and WordPress.com VIP, additional Terms of Service may apply and will be posted on the websites for those products and services.

Our Services are offered subject to your acceptance, without modification, of all of the terms and conditions contained herein and all other operating rules, policies (including, without limitation, Automattic’s Privacy Policy), and procedures that may be published from time to time by Automattic (collectively, the “Agreement”). You agree that we may automatically upgrade our Services, and the Agreement will apply to any upgrades.

Please read the Agreement carefully before accessing or using our Services. By accessing or using any part of our Services, you agree to become bound by the Agreement. If you do not agree to all the terms of the Agreement, then you may not access or use our Services.

1. Who’s Who

Throughout these Terms, “you” applies to both individuals and entities that access or use our Services. If you are an individual using our Services on behalf of an entity, you represent and warrant that you have the authority to bind that entity to the Agreement and that by using our Service(s), you are accepting the Agreement on behalf of that entity.

We use the term “Designated Countries” to refer to Australia, Canada, Japan, Mexico, New Zealand, and all countries located in the European continent. If you reside in the “Designated Countries,” your Agreement is with Aut O’Mattic A8C Ireland Ltd. If you reside outside of the “Designated Countries,” your Agreement is with Automattic Inc.

We refer to Aut O’Mattic A8C Ireland Ltd. and Automattic Inc. collectively as “Automattic” or “we” throughout these Terms.

2. Your Account

Where use of our Services requires an account, you agree to provide us with complete and accurate information when you register for an account. You will be solely responsible and liable for any activity that occurs under your username. You are responsible for keeping your account information up-to-date and for keeping your password secure.

You are responsible for maintaining the security of your account and any Service-related website, store, or other content, and you are fully responsible for all activities that occur under your account and any other actions taken in connection with our Services. You shall not share or misuse your access credentials. You must immediately notify us of any unauthorized uses of your account, store, or website, or of any other breach of security. We will not be liable for any acts or omissions by you, including any damages of any kind incurred as a result of such acts or omissions.

3. Minimum Age Requirements

Our Services are not directed to children. Access to and use of our Services is only for those over the age of 13 (or 16 in the European Union). If you are younger than this, you may not register for or use our Services. Any person who registers as a user or provides their personal information to our Services represents that they are 13 years of age or older (or 16 years or older in the European Union).

4. Responsibility of Visitors and Users

We have not reviewed, and cannot review, all of the content (such as, but not limited to, text, photo, video, audio, code, computer software, items for sale, or other materials) posted to our Services by users or anyone else (“Content”) and are not responsible for any use or effects of such Content. So, for example:

  • We do not endorse any Content or represent that Content is accurate, useful, or non-harmful. Content could be offensive, indecent, or objectionable; include technical inaccuracies, typographical mistakes, or other errors; or violate or infringe the privacy, publicity rights, intellectual property rights (see our Copyright Infringement and DMCA Policy section to submit copyright complaints), or other proprietary rights of third parties.
  • If you post Content, comment on a website, or otherwise make (or allow any third party to make) Content available on our Services, you are entirely responsible for the Content, and any harm resulting from, that Content or your conduct.
  • We disclaim any responsibility for any harm resulting from anyone’s use, purchase, or downloading of Content. If you access or use any Content, you are responsible for taking precautions as necessary to protect yourself and your computer systems from viruses, worms, Trojan horses, and other harmful or destructive content.
  • Any Content offered for sale through any of our Services are the seller’s sole responsibility, and you agree that you will look solely to the seller for any damages that result from your purchase or use of Content.
  • We are not a party to, and will have no responsibility or liability for, any communications, transactions, interactions, or disputes between you and the provider of any Content.
  • Please note that additional third party terms and conditions may apply to the downloading, copying, purchase, or use of Content.

We also have not reviewed, and cannot review, all of the material, including computer software, made available through the websites and web pages that link to, or are linked from, WordPress.com or our other Services. For example:

  • We do not have any control over those websites and are not responsible for their contents or their use.
  • The existence of a link to or from one of our Services does not represent or imply that we endorse such website.
  • You are responsible for taking precautions as necessary to protect yourself and your computer systems from viruses, worms, Trojan horses, and other harmful or destructive content.
  • We disclaim any responsibility for any harm resulting from non-Automattic websites.

5. Fees, Payment, and Renewal

Fees. Some of our Services are offered for a fee — such as Jetpack, and VaultPress, and Happy Tools – while other Services may be free with optional paid upgrades, such as a WordPress.com plan (collectively, “Paid Services”). By using a Paid Service, you agree to pay the specified fees. Depending on the Paid Service, there may be a one-time fee or recurring fees. For recurring fees, we’ll bill or charge you for in regular intervals (such as monthly, annually, or biennially), on a pre-pay basis until you cancel, which you can do at any time by contacting the relevant support team.

Taxes. To the extent permitted by law, or unless explicitly stated otherwise, all fees are exclusive of applicable federal, provincial, state, local or other governmental sales, goods and services, harmonized or other taxes, fees, or charges now in force or enacted in the future (“Taxes”). You are responsible for payment of all applicable Taxes relating to your use of our Services, your payments, or your purchases. If we are obligated to pay or collect Taxes on the Fees you’ve paid or will pay, you are responsible for such Taxes, and we may collect payment for such Taxes.

Payment. If your payment fails or Paid Services are otherwise not paid for on time, we may immediately cancel or revoke your access to the Paid Services. If you contact your bank or credit card company to decline or reverse the charge of fees for Paid Services, we may revoke your access to our Services in general.

Automatic Renewal. To ensure uninterrupted service, recurring Paid Services are automatically renewed. This means that unless you cancel a Paid Service before the end of the applicable subscription period, it will automatically renew, and you authorize us to invoice you or use any payment mechanism we have on record for you to collect the then-applicable subscription fee (as well as any Taxes). Your Paid Services are renewed for the same interval of time. For example, if you purchase a WordPress.com annual plan, you will be charged each year.

Refunds. While you may cancel a Paid Service at any time, refunds are issued in our sole discretion, unless otherwise required by applicable law.

Fee Changes. We may change our fees at any time. When applicable, we may give you advance notice of the fee changes. If you don’t agree with the fee changes, you can cancel your Paid Service.

6. General Representation and Warranty

You represent and warrant that your use of our Services:

  • Will be in strict accordance with these Terms;
  • Will comply with all applicable laws and regulations (including, without limitation, all applicable laws regarding online conduct and acceptable content, privacy, data protection, and the transmission of technical data exported from the United States or the country in which you reside);
  • Will not use the Services for any unlawful purposes, to publish illegal content, or in furtherance of illegal activities;
  • Will not infringe or misappropriate the intellectual property rights of any third party;
  • Will not overburden Automattic’s systems, as determined by us in our sole discretion;
  • Will not disclose sensitive personal information of others;
  • Will not be used to send spam or bulk unsolicited messages;
  • Will not interfere with, disrupt, or attack any service or network; and
  • Will not be used to create, distribute, or enable material that is – or that facilitates or operates in conjunction with – malware, spyware, adware, or other malicious programs or code.

7. Specific Service Terms

a. WordPress.com Websites and Accounts

WordPress.com enables you to create beautiful websites and blogs, and we would love for you to use it. A WordPress.com account also allows you to sign into some of our Services.

WordPress.com’s basic service is free, and we offer paid plans for advanced features such as a custom domain name, extra storage, and access to premium themes. Our service is designed to give you as much control and ownership over what goes on your website as possible and encourage you to express yourself freely. However, be responsible in what you publish. In particular, make sure that none of the prohibited items (like spam, viruses, or serious threats of violence) appear on your website.

If you find a WordPress.com website that you believe violates these Terms, please visit our dispute resolution and reporting page.

Your WordPress.com Website. If you create a website on WordPress.com, you get to use an Automattic-owned subdomain, such as example.wordpress.com or mollys.food.blog. You must not engage in “domain squatting,” claim an unreasonable number of subdomains (as determined by us), or sell access to any subdomains.

License. By submitting Content to Automattic for inclusion on your website, you grant Automattic a world-wide, royalty-free, and non-exclusive license to reproduce, modify, adapt, and publish the Content solely for the purpose of displaying, distributing, and promoting your website. This license also allows Automattic to make any publicly-posted Content available to third parties selected by Automattic (through Firehose, for example) so that these third parties can analyze and distribute (but not publicly display) the Content through their services. You also give other WordPress.com users permission to share your Content on other WordPress.com websites and add their own Content to it (aka to “reblog” your Content), so long as they use only a portion of your post and they give you credit as the original author by linking back to your website (the reblogging function on WordPress.com does this automatically!).

Removing Content. If you delete Content, we will use reasonable efforts to remove it from public view (or in the case of a private website, from view by the authorized visitors) on WordPress.com, but you acknowledge that caching or references to the Content may not be made immediately unavailable.

Web Traffic. We use a third party, comScore, Inc. (“comScore”), to measure WordPress.com’s audience and usage. By hosting your website on WordPress.com, you agree to assign the traffic relating to your website to Automattic and authorize us to sign a Traffic Assignment Letter on your behalf for comScore audience measurement reports. Your website’s traffic will be included under Automattic. You understand that your website will not receive credit for traffic in these reports, and you must not assign your website’s traffic to any other party. If we or comScore require additional documentation to verify ownership of your website or domain name, you agree to make reasonable efforts to accommodate such requests.

Prohibited Uses. By using WordPress.com, you represent and warrant that your Content and conduct do not violate the User Guidelines.

HTTPS. We offer free HTTPS on all WordPress.com websites by default, including those using custom domains, via Let’s Encrypt. By signing up and using a custom domain on WordPress.com, you authorize us to act on the domain name registrant’s behalf (by requesting the necessary certificates, for example) for the sole purpose of providing HTTPS on your website.

Advertisements. We reserve the right to display advertisements on your website unless you have purchased a plan that includes the removal of ads.

Attribution. We reserve the right to display attribution text or links in your website footer or toolbar, attributing WordPress.com or the theme author, for example. Some of these attributions may not be altered or removed. For more details about what these attributions might look like, and under which circumstances (if any) they may be altered or removed, please see our Admin and Action Bars support page.

Friends of WP.com Themes. By activating a partner theme from the Friends of WP.com section of our themes directory, you agree to that partner’s terms of service. You can decline the terms of service at any time by deactivating the partner theme.

Domain Names. We act as a registrar and also work with third party registrars in order to provide our users with domain name services. When you register or renew a domain name on WordPress.com, or when you transfer an existing domain name to WordPress.com, you become bound by the relevant registrar’s terms and conditions, either the Automattic Domain Name Registration Agreement, Tucows Domain Inc. Registration Agreement, or this Domain Name Registration Agreement, in addition to these Terms. Which registrar terms apply depends on the top-level domain (TLD) you choose, and in some cases, the date you register your domain, so please see this table that outlines all of the TLDs we offer and the applicable registration agreement to determine which agreement(s) apply to you. These registrar terms are incorporated by reference into these Terms.

Further, your use of the domain name is also subject to the policies of the Internet Corporation for Assigned Names and Numbers (“ICANN”). You can read about your rights and responsibilities as a domain name registrant under ICANN’s Registrar Accreditation Agreement and about domain name registration generally.

For details about what happens during the domain expiration process, and how we may notify you of domain expiration, please see the Domain Expiration support page.

Please refer to the domain pricing and available TLDs page for details about fees associated with domain registrations, renewals, and redemptions.

b. Jetpack

Jetpack is a plugin that connects your self-hosted WordPress website to WordPress.com’s infrastructure to give you powerful WordPress.com features.

Jetpack Content. You’re fully responsible for the content of any website you own that runs Jetpack (“Jetpack Content”).

Features. Jetpack includes various features, and you can visit Jetpack.com to learn more about them. Some features, like Enhanced Distribution, when activated, will include your Jetpack Content in Firehose. By activating these features, you grant us permission to display your Jetpack Content on WordPress.com for the purpose of distributing and promoting your website. Some features are on by default and others you need to enable manually. You can see which features are active, and activate and deactivate features, on your dashboard.

License. You agree that we may scan your website, and compile aggregated/anonymized statistics for our internal use to optimize Jetpack’s performance. By submitting Content to Automattic for inclusion on your website, you grant Automattic a world-wide, royalty-free, and non-exclusive license to reproduce, modify, adapt, and publish the Content solely for the purpose of displaying, distributing, and promoting your website. This license also allows Automattic to make any publicly-posted Content available to third parties selected by Automattic (through Firehose, for example) so that these third parties can analyze and distribute (but not publicly display) the Content through their services.

Storage of Information. Certain Jetpack features rely on WordPress.com servers to function, such as those that allow you to send email, publish links, relate posts to each other, or resize images. To take advantage of the performance boosting features of Jetpack, certain information about the Content, settings, and setup of your website are synced with our servers, as described on our What Data Does Jetpack Sync? support page.

Prohibited Uses. Your website and Jetpack Content must comply with Jetpack’s Service Guidelines.

c. VaultPress

VaultPress is a subscription-based security and backup service for self-hosted WordPress websites.

VaultPress Content. VaultPress will backup your WordPress content (e.g., your WordPress database, plugins, themes, and uploads, as well as some additional files, as described in this introduction to VaultPress) (“VaultPress Content”). You can view the Content that VaultPress backs up via your VaultPress dashboard. You’re fully responsible for your VaultPress Content. It’s your responsibility to ensure that your website’s Content abides by applicable laws and by these Terms. We don’t actively review the VaultPress Content.

Access. If you lose access to your WordPress.com account, you may not be able to access your backed up VaultPress Content.

License. By using VaultPress, you grant us access to your website’s servers for the purpose of backing up and securing your VaultPress Content, and restoring files and database information (which may include access details for multiple servers or accounts for each website that we backup). In order to address security vulnerabilities, we may push an upgrade to your website, or we may access your website to remove malicious code. We may also scan VaultPress Content and compile aggregated/anonymized statistics for our internal use to optimize the performance of the VaultPress service. You also grant us a worldwide, royalty-free, and non-exclusive license to copy and store your VaultPress Content, to the extent necessary to operate the VaultPress service. These Terms don’t give us any rights in your VaultPress Content, beyond those we need to operate VaultPress. You own your VaultPress Content.

Cancellation. If you cancel your subscription to VaultPress, we will queue your backed-up VaultPress Content for deletion.

d. Happy Tools

Happy Tools is a suite of software and consulting services to help modern and distributed companies manage, grow, and support their business.

Prohibited Uses. You agree not to:

  • Modify, decompile, reverse engineer or otherwise alter or seek to derive the trade secrets and other inherent intellectual property of Happy Tools; or
  • License, sublicense, sell, resell, rent, lease, transfer, assign, distribute, or otherwise commercially exploit or make Happy Tools available to any third party, other than your authorized users.

e. Ecommerce Services

There are certain features offered via WooCommerce, WooCommerce Services, or WordPress.com that enable you to sell items (goods, content, services, etc.) on your website (“Ecommerce Services”). If you use WooCommerce, the WooCommerce Use Terms also apply.

Usage of Information. WooCommerce Services may require Automattic’s servers, a connection to our partners, and/or data from your website, to work, as described on our What Data Does Jetpack Sync? support page.

Prohibited Uses. If your store is on WordPress.com, you must not violate our User Guidelines or Store Guidelines.

Third Party Services. You may choose to set up and/or use third party services, such Stripe or PayPal to collect payment, TaxJar to calculate taxes, or EasyPost to manage shipping. If you do so, be aware that some of your — and your customers’ — data may be passed to the respective third party, and the respective third party’s terms of service, privacy policy, and other policies may apply. We are not involved in these relationships. Please note that some of these third party services (like TaxJar) may be enabled by default, but you may disable them before your store is set up. If you do not want to use these third party services, please disable them.

Tax Calculations. Tax calculations are provided by TaxJar. You are responsible for all taxes and fees associated with your ecommerce activities. You must collect, report, and/or pay the correct amounts to the appropriate authorities, if applicable and, if needed, inform your customers about any taxes they may be required to pay and issue appropriate invoices. While some Ecommerce Services allow you to include sales taxes or Value Added Taxes in transactions, you should not rely solely on these features. While our goal is to keep our documents and tools up-to-date, tax laws change rapidly, and we do not guarantee that tax calculations you receive through or in connection with our Services are complete and accurate. Tax laws also differ from jurisdiction to jurisdiction and may be subject to different interpretations by different authorities. We recommend that you consult with a tax professional for your specific tax situation when assessing the correct tax rates you should charge.

Shipping Services. Shipping labels are provided by EasyPost and allow you to take advantage of real-time shipping rates to purchase postage and print shipping labels from certain mailing services, such as USPS and Canada Post. We act only as an intermediary between you and these third parties; we are not involved in any way with your product or its shipment. We also do not warrant that the results you obtain from the use of these services (rates and labels, for example) will be accurate or reliable.

You are solely responsible for compliance with all applicable rules and regulations, including domestic and international shipping and customs regulations and those of the relevant mailing service. For example, if you use USPS postage, you will need to comply with their shipping restrictions and mailing standards, among others.

In addition, you are solely responsible for customs charges, import taxes or duties, or any other charges related to your shipments. If any charges are assessed against us as a result of your use of the shipping services, you will reimburse us for the full amount within 7 days.

You authorize us to charge you for the fees associated with each shipping label you create. Each fee will be charged separately to the payment methods you have provided in your WordPress.com account, which you can view and manage as described the Payment Methods support page. If you have multiple payment methods, you can select which should be used for the shipping label service. If we are unable to collect payment from you for these fees, you will be responsible for payment within 7 days; please contact us to remit payment.

Refunds for unused shipping labels must be requested in your store’s wp-admin within 30 days of creating the label. Please note that depending on your bank and the third party involved, it may take up to 45 days for your refund to issue. If you haven’t received your refund within this time frame, please contact us.
You may not transfer or sell postage and/or shipping labels to a third party.

Your Responsibilities. You are solely responsible for all of your ecommerce activities, including your store, your items, its operation, all applicable taxes and fees, compliance with the Payment Card Industry Data Security Standard (PCI DSS), and compliance with any applicable laws. Among other things, this means that:

  • You should use your best judgment when setting up your store, operating your store, processing payments, and selling items. For example, you may not want to accept check payments if you are not comfortable sharing your mailing address with a customer, or you may want to publish payment and return policies.
  • We are not involved in your relationships or transactions with any customer or potential customer.
  • You are responsible for resolving all support questions, comments, and complaints, including refunds, chargebacks, or pricing questions. You should provide contact information so that customers may contact you with questions or complaints.
  • You are responsible for delivering items sold to your customers, and for fulfilling all promises, representations, or warranties you make to them in connection with a sale.

8. Copyright Infringement and DMCA Policy

As we ask others to respect our intellectual property rights, we respect the intellectual property rights of others. If you believe that material located on or associated with an Automattic product or service violates your copyright, please notify us in accordance with Automattic’s Digital Millennium Copyright Act (“DMCA”) Policy. We will respond to all such notices, including as required or appropriate by removing the infringing material or disabling all links to the infringing material. We will terminate a visitor’s access to and use of the website if, under appropriate circumstances, the visitor is determined to be a repeat infringer of the copyrights or other intellectual property rights of Automattic or others. In the case of such termination, we will have no obligation to provide a refund of any amounts previously paid to us.

9. Intellectual Property

The Agreement does not transfer from Automattic to you any Automattic or third party intellectual property, and all right, title, and interest in and to such property will remain (as between the parties) solely with Automattic. Automattic, WordPress, WordPress.com, the WordPress.com logo, and all other trademarks, service marks, graphics, and logos used in connection with WordPress.com or our Services, are trademarks or registered trademarks of Automattic or Automattic’s licensors. Other trademarks, service marks, graphics, and logos used in connection with our Services may be the trademarks of other third parties. Your use of our Services grants you no right or license to reproduce or otherwise use any Automattic or third party trademarks.

10. Third Party Services

In using the Services, you may enable or use services, products, software (like themes or plugins), embeds, or applications developed by a third party or yourself (“Third Party Services”) on your website.

If you use any Third Party Services, you understand that:

  • Third Party Services are not vetted, endorsed, or controlled by Automattic.
  • Any use of a Third Party Service is at your own risk, and we shall not be responsible or liable to anyone for Third Party Services.
  • Your use is solely between you and the respective third party (“Third Party”) and will be governed by the Third Party’s terms and policies. It is your responsibility to review the Third Party’s terms and policies before using a Third Party Service.
  • Some Third Party Services may request or require access to your (yours, your visitors’, or customers’) data, for example, via a pixel or cookie. If you use the Third Party Service or grant access, your data will be handled in accordance with the Third Party’s privacy policy and practices. We do not have control over how a Third Party Service may use your data. You should carefully review Third Party Services’ data collection, retention, and use policies and practices before enabling Third Party Services.
  • Third Party Services may not work appropriately with your website, and we may not be able to provide support for issues caused by any Third Party Services.
  • If you have questions or concerns about how a Third Party Service operates, or need support, please contact the Third Party directly.

In rare cases, we may at our discretion, suspend, disable, or remove Third Party Services from your account or website.

11. G Suite

If you purchase a G Suite subscription, this section applies. G Suite is provided by Google, and your use of G Suite is subject to Google’s Terms of Use for the services, which you’ll accept prior to using G Suite for the first time. Automattic is an authorized reseller of G Suite, but makes no warranties about the services provided by Google, and disclaims Google’s liability for any damages arising from our distribution and resale of their services. Google will provide technical support for its services, per its Technical Support Services Guidelines. If you’re a business and purchase G Suite for your WordPress.com website, you represent that you have 749 or fewer staff members.

12. Changes

We are constantly updating our Services and that means sometimes we have to change the legal terms under which our Services are offered. These Terms may only be modified by a written amendment signed by an authorized executive of Automattic, or by the posting by Automattic of a revised version. If we make changes that are material, we will let you know by posting on one of our blogs, or by sending you an email or other communication before the changes take effect. The notice will designate a reasonable period of time after which the new terms will take effect. If you disagree with our changes, then you should stop using our Services within the designated notice period, or once the changes become effective. Your continued use of our Services will be subject to the new terms. However, any dispute that arose before the changes shall be governed by the Terms (including the binding individual arbitration clause) that were in place when the dispute arose.

13. Termination

We may terminate your access to all or any part of our Services at any time, with or without cause, with or without notice, effective immediately. We have the right (though not the obligation) to, in our sole discretion, (i) reclaim your username or website’s URL due to prolonged inactivity, (ii) refuse or remove any content that, in our reasonable opinion, violates any Automattic policy or is in any way harmful or objectionable, or (iii) terminate or deny access to and use of any of our Services to any individual or entity for any reason. We will have no obligation to provide a refund of any amounts previously paid.

If you wish to terminate the Agreement or your WordPress.com account, you may simply discontinue using our Services, or, if you are using a paid service, you may cancel at any time, subject to the Fees, Payment, and Renewal section in these Terms.

All provisions of the Agreement which by their nature should survive termination shall survive termination, including, without limitation, ownership provisions, warranty disclaimers, indemnity, and limitations of liability.

14. Disclaimer of Warranties

Our Services are provided “as is.” Automattic and its suppliers and licensors hereby disclaim all warranties of any kind, express or implied, including, without limitation, the warranties of merchantability, fitness for a particular purpose and non-infringement. Neither Automattic, nor its suppliers and licensors, makes any warranty that our Services will be error free or that access thereto will be continuous or uninterrupted. If you’re actually reading this, here’s a treat. You understand that you download from, or otherwise obtain content or services through, our Services at your own discretion and risk.

15. Jurisdiction and Applicable Law.

Except to the extent any applicable law provides otherwise, the Agreement and any access to or use of our Services will be governed by the laws of the state of California, U.S.A., excluding its conflict of law provisions. The proper venue for any disputes arising out of or relating to the Agreement and any access to or use of our Services will be the state and federal courts located in San Francisco County, California.

16. Arbitration Agreement

Except for claims for injunctive or equitable relief or claims regarding intellectual property rights (which may be brought in any competent court without the posting of a bond), any dispute arising under the Agreement shall be finally settled in accordance with the Comprehensive Arbitration Rules of the Judicial Arbitration and Mediation Service, Inc. (“JAMS”) by three arbitrators appointed in accordance with such Rules. The arbitration shall take place in San Francisco, California, in the English language and the arbitral decision may be enforced in any court. The prevailing party in any action or proceeding to enforce the Agreement shall be entitled to costs and attorneys’ fees.

17. Limitation of Liability

In no event will Automattic, or its suppliers or licensors, be liable with respect to any subject matter of the Agreement under any contract, negligence, strict liability or other legal or equitable theory for: (i) any special, incidental or consequential damages; (ii) the cost of procurement for substitute products or services; (iii) for interruption of use or loss or corruption of data; or (iv) for any amounts that exceed the fees paid by you to Automattic under the Agreement during the twelve (12) month period prior to the cause of action. Automattic shall have no liability for any failure or delay due to matters beyond their reasonable control. The foregoing shall not apply to the extent prohibited by applicable law.

18. Indemnification

You agree to indemnify and hold harmless Automattic, its contractors, and its licensors, and their respective directors, officers, employees, and agents from and against any and all losses, liabilities, demands, damages, costs, claims, and expenses, including attorneys’ fees, arising out of or related to your use of our Services, including but not limited to your violation of the Agreement, Content that you post, and any ecommerce activities conducted through your or another user’s website.

19. US Economic Sanctions

You expressly represent and warrant that your use of our Services and/or associated services and products is not contrary to applicable U.S. Sanctions. Such use is prohibited, and we reserve the right to terminate accounts or access of those in the event of a breach of this condition.

20. Translation

These Terms were originally written in English (US). We may translate these terms into other languages. In the event of a conflict between a translated version of these Terms and the English version, the English version will control.

21. Miscellaneous

The Agreement constitutes the entire agreement between Automattic and you concerning the subject matter hereof. If any part of the Agreement is held invalid or unenforceable, that part will be construed to reflect the parties’ original intent, and the remaining portions will remain in full force and effect. A waiver by either party of any term or condition of the Agreement or any breach thereof, in any one instance, will not waive such term or condition or any subsequent breach thereof.

You may assign your rights under the Agreement to any party that consents to, and agrees to be bound by, its terms and conditions; Automattic may assign its rights under the Agreement without condition. The Agreement will be binding upon and will inure to the benefit of the parties, their successors and permitted assigns.

Print friendly version

Change log

#####EOF##### WordPress.tv – Engage Yourself with WordPress.tv
#####EOF##### Go WordPress

How to Check Keyword Ranking for Your Content

Trying to evaluate your content’s SEO performance? Learn how to check keyword ranking and make adjustments that can help you boost your site traffic.

Advertising Using Social Media: Sponsored Posts and Social Ads 101

Advertising using social media can boost organic marketing efforts, generate website visits, and help target potential new customers. Learn how to start.

Create a Nonprofit Mission Statement That Inspires

If creating your nonprofit mission statement is still on your to-do list, follow these tips for creating a concise, impactful statement.

3 Paywall Examples and How to Use Them

What are paywalls and how can you use them to monetize your content? Here are three paywall examples as well as the best scenarios for each.

Create a Paywall With WordPress.com

Looking for ways to monetize your site? Try creating a paywall with WordPress.com.

Online Bookings: Tips and Plugins for Your WordPress.com Site

How can online bookings help your business? Here’s what you need to know, and a few easy ways to add online bookings to your WordPress.com site.

Boost Content on Social Media in 3 Steps

The ability to boost content on social media is a great way to meet your marketing goals, without having to create an ad strategy.

CSS Cheat Sheets to Eliminate the Mystery of Web Design

CSS cheat sheets are incredible resources for making your website look exactly the way you want it, without paying for a designer or an expensive theme.

Which Types of Digital Media Are Best for Your Business?

Determining what types of digital media is essential for moving your business forward. We break down your options here.

5 WordPress Hosting Considerations

Here are 5 WordPress hosting considerations for picking a platform to house your site.

Chelsea Baldwin / March 29, 2019

, ,

Go by WordPress.com

Welcome to Go by WordPress.com, where experts share their knowledge on building and growing a successful web presence.

Thousands of small businesses, online stores, and professionals of all stripes call WordPress.com home.

Whether you’re looking to promote your business or share your story, we have a plan that’s right for you.

Get Started Today

Create your new blog or website for free

Get Started

#####EOF##### About Us — WordPress.com

About Us

Automatticians at the Company Meetup

At WordPress.com, our mission is to democratize publishing one website at a time.

Open source WordPress is the most popular online publishing platform, currently powering more than 32% of the web. We wanted to bring the WordPress experience to an even larger audience, so in 2005 we created WordPress.com.

We’re a hosted version of the open source software. Here, you can start a blog or build a website in seconds without any technical knowledge.

Overall, the WordPress.com network welcomes more than 409 million people viewing more than 15.5 billion pages each month. Our users publish about 41.7 million new posts and leave 60.5 million new comments each month.

All of us at Automattic constantly work on improving WordPress.com. We roll out updates almost every day, and develop other services, like Gravatar and Simplenote, to enhance your experience on the web. We want to build products, features, and themes you will love using, so don’t hesitate to leave us your feedback.

Almost everything on WordPress.com is free, and what’s currently free will remain so in the future. We keep your sites free by offering upgrades for things like Plans and custom domains, as well as products like anti-spam software Akismet and VIP hosting partnerships with major media outlets.

Whether you’re a blogger or a website owner, we know you have many places where you can pitch your online tent. If you’re a current user, thanks for choosing us — we love having you around. If you’re looking to build your online presence and haven’t decided where to drop anchor, give us a try. We’d love to become your home on the web.

#####EOF##### Support — WordPress.com

Need Help?

New to WordPress.com?

Start

Build the site of your dreams with WordPress.com. Learn about our best features, and how to get started.

Let's Go

Create

Write, click, publish, and revel. Your words can be read by anyone in the world. Isn't that exciting?

Show Me How

Customize

Find the perfect theme for your site and make it your own with widgets, menus, and custom design.

Make It Mine

Connect

Share your work with the world through Facebook, Twitter, and other social networks.

Get Connected

We care about your happiness!

They don't call us Happiness Engineers for nothing. If you need help, don't sweat it. We're here for you!

Get Help
#####EOF##### The Best WordPress Sites in the World | WordPress.org

WordPress.org

WordPress Website Showcase

The City University of New York

www2.cuny.edu

The City University of New York (CUNY) is the public university system of New York City, and the largest urban university in the United States.

Learn More →

The Obama Foundation

www.obama.org

The Obama Foundation was established in January 2014 to “carry on the great, unfinished project of renewal and global progress.” In the near future, the Foundation will oversee the design and construction of the Obama Presidential Center.

Learn More →

The Village Voice

www.villagevoice.com

The Village Voice was founded by Dan Wolf, Ed Fancher, and Norman Mailer in 1955 as “the nation’s first alternative newsweekly.” Winner of three Pulitzer Prizes, the Village Voice introduced free-form, high-spirited, and passionate journalism into the public discourse.

Learn More →

Ogilvy & Mather South Africa

www.ogilvy.co.za

The corporate website for legendary advertising agency Ogilvy & Mather in South Africa. Ogilvy & Mather South Africa’s origins lie with a small hot shop in Cape Town, founded by Bob Rightford, Brian Searle-Tripp and Roger Makin in 1976.

Learn More →

The National Puerto Rican Day Parade

www.nprdpinc.org

The National Puerto Rican Day Parade in NYC is the largest parade in the country.

Learn More →

Angry Birds

www.angrybirds.com

Rovio took the world by storm in 2009 with Angry Birds, an international mobile game phenomenon that quickly became the most downloaded game of all time. Over the years, Angry Birds has seen rapid growth and evolved into an entertainment…

Learn More →

Vogue India

www.vogue.in

Vogue.in is the Indian edition of internationally known brand, bringing you the best of global and Indian fashion, beauty, people, parties and culture.

Learn More →

thisisFINLAND

finland.fi

thisisFINLAND forms an attractive window on Finland for everyone interested in our country, its culture and its people. Produced by the Ministry for Foreign Affairs of Finland and published by the Finland Promotion Board, thisisFINLAND was originally established in 1995…

Learn More →

Canada.com

o.canada.com

Canada.com, featuring discussions about what Canadians are talking about, is owned and operated by Postmedia Network Inc., Canada’s largest publisher by circulation of paid English-language daily newspapers. canada.com complements Postmedia’s other properties including daily newspapers in cities across Canada like…

Learn More →

Featured Business Sites

Recently Added Sites

View All Showcase Sites →
#####EOF##### WordPress.com
#####EOF##### #####EOF##### Stats — Support — WordPress.com

Traffic

Stats

Your stats page includes a bunch of nifty graphs, charts, and lists that show you how many visits your site gets, what posts and pages are the most popular ones, and much more.

Accessing Stats
Views and Visitors
Views by Country
Referrers
Marking Spam Referrers
Posts & Pages
Search Engine Terms
Clicks
Authors
Insights
Downloading Stats
Frequently Asked Questions

Accessing Stats

You can access your stats by selecting My Sites → Stats.

You can also get to stats from the WP Admin dashboard:

Screen Shot 2014-02-14 at 2.36.15 PM

↑ Table of Contents ↑

Views and Visitors

When you visit your Stats page, you’ll see a chart which represents your traffic for the day, week, month, or year (depending on which filter you’ve selected at the top of the page).

views-visitors-chart

The two main units of traffic measurement are views and unique visitors.

  • A view is counted when a visitor loads or reloads a page.
  • A visitor is counted when we see a user or browser for the first time in a given period (day, week, month).

The weekly unique visitors figure can sometimes be less than the sum of daily visitors for the same week.

  • This occurs when the same visitor appears multiple times during the week.
  • The same goes for unique weekly visitors being less than your monthly visitors number.
  • Yearly totals are simply a sum of your monthly totals.

You may also notice that your visitor count lags behind your views count.

  • This is due to the way we process the numbers.
  • Typically a view is reported within five minutes
  • It can take up to two hours for new visitors to show up in your stats.

This chart also includes tabs for viewing stats for likes and comments on your site in a given period.

The following are not reflected in your stats:

  • Visits to uploaded documents and files
  • Visits from browsers that do not execute javascript or load images
  • GoogleBot and other search engine spiders
  • Visits you make to your own publicly available site (when logged into your account)
  • Visits to a publicly available site by users that are logged in, and listed as members of the site

Views by logged-in members of your site, including yourself, are only counted in your stats for sites that are set to private.


↑ Table of Contents ↑

Views by Country

views-by-country

You can see how many views you’ve received per country by day, week, month, and year. If WordPress.com is not able to determine your visitors’ location, their views will not be counted in this chart.


↑ Table of Contents ↑

Referrers

The referrers section lists other blogs, web sites, and search engines that link to your site. A view is associated with a referrer if a visitor lands on a URL on your site after clicking a link on the referrer’s site.


↑ Table of Contents ↑

Marking Spam Referrers

Sometimes the list of referrers may include sites you’d rather not see. If you wish, you can report those referrers as spam and they will no longer appear in your list of referrers.

To mark them as spam, navigate to the Referrers section of your stats.

Each entry (with the exception of a few whitelisted referrers, such as WordPress.com) has a clickable ellipsis next to the view count.

Screenshot 2015-10-07 23.19.24

When you click the ellipsis, a red Spam flag will appear.  If you click the flag, the referrer link will go into your personal spam referrer block list and won’t show up in the future.

If you change your mind right away, you can click the Not Spam link that appears where the Spam link was previously. However, once you have navigated away from the stats page, you will not be able to undo the action.

Marking a site or referrer as spam will not affect your stats. It will only keep that referrer from appearing on your stats page.


↑ Table of Contents ↑

Posts & Pages

This section of stats will list the Posts and Pages that have received the most views in the time period you’ve specified at the top of the page.

  • A view is only counted for a post or page when the permalink URL is visited, or the full post is viewed in the Reader.
  • If a visitor reads a post while viewing the home page of your site, the view will not be counted towards the post, only towards total views.

↑ Table of Contents ↑

Search Engine Terms

  • These are the terms, words, and phrases people use on search engines (like Google, Yahoo, or Bing) to find posts and pages on your WordPress.com blog.
  • These do not include the terms which your readers use within your site’s Search Widget or any other search form on your site.
  • When we don’t know the search terms, we show them as Unknown search terms. Some search engines don’t reveal search terms for privacy reasons. Google, for example, has been encrypting the vast majority of search terms since 2013.  

↑ Table of Contents ↑

Clicks

This stat counts the number of times your readers have clicked on external links that appear on your site. These may be (but are not limited to):

  • Links you add to your post and page content.
  • Links placed in comments by your readers.
  • Links that appear in your blogroll.
  • Links attached to the names of users who comment on your site.
  • Links to media files.
  • Links to images in a gallery.

↑ Table of Contents ↑

Authors

If your site features content by multiple users, this stat will let you see how much traffic each of them has generated. Clicking on a name will reveal the most popular posts and pages published by each author, and the number of views each has attracted.


↑ Table of Contents ↑

Insights

Your Stats Insights page includes an overview of your site’s stats:

  • Posting activity: a visualization of your posting trends, showing how many posts you published and when.
  • Most popular day and hour: what time of day and day of the week your site gets the most views.
  • All-time posts, views, and visitors: your site’s total posts, views, and visitors, along with your all-time best day for views.
  • Today’s stats: How many views, visitors, likes, and comments your site received today.
  • Latest post summary: How many views, likes, and comments your most recent post received.
  • Tags & Categories: The number of views your most popular tags and categories have received in the previous seven days.

Your Insights page also includes recent stats about comments on your site, popular tags and categories, and your site’s followers.


↑ Table of Contents ↑

Ads

If WordAds is enabled, selecting the Ads tab will bring up statistics about ads served on your site:

  • Your site must be enrolled in WordAds for this option to appear.
  • WordAds is available on our Premium and Business plans
  • Your site must be public for WordAds and the Ads stat section to be enabled.
  • Stats for ads are fetched once a day from the ad server. They are not shown in real time.
  • Ad stats are an estimate and are subject to change. They are finalized the month following the one in which they were earned.

↑ Table of Contents ↑

Downloading Stats

You can click the title of each module on your stats page, and scroll to the bottom of that module to download your stats. Simply click on the Download data as CSV link and download the file to your computer.


↑ Table of Contents ↑

Frequently Asked Questions

Can I use Google Analytics?

To complement our built-in stats and to give you even more information about your traffic, you can use Google Analytics as part of the WordPress.com Business plan.

Do Site Stats include my own visits to my site?

Only for private sites. For users with private sites, your Site Stats page will show any visits that you have made to your own site, as well the visits of other users who have access to your site.

How do I find out who my followers are?

On your Insights page you will see a list of your most recent followers in the Followers module. You can use the dropdown menu in that section to switch between your WordPress.com Followers and your Email Followers, and click on “View All” to view a full list of your followers. The Publicize module also shows a list of how many social media followers receive your posts through the Publicize feature.

Why don’t post and page views add up to total views?

Post and page views are included in your site’s total views, but there are many views that aren’t tied to a post or page URL. The front pages, category, tag, date, and author archive pages, and search result pages are all examples of other views that only count towards total views.

Why doesn’t the number of referrers add up to the number of total views?

Not all visitors will land on your site by clicking a link somewhere else. Visitors may type your URL directly into the web browser, click a link in an email, or click a link in another application which then loads the browser.

Why is the number of views less than the number of likes?

Readers may like your post without visiting your site, for example on the Reader. Since they didn’t actually visit your site, liking a post in this way does not count as a visit.

How can I view my RSS stats?

Followers reading your site via its RSS feed will not count toward your site statistics. You can, however, see the number of syndicated views each post receives on your stats pages when you access your stats via the WP Admin dashboard.

Can I get stats for my self-hosted WordPress.org site?
Can I display a hit/view counter on my site?

Yes, use the Blog Stats Widget.

How can I view stats for days more than a month ago?

If navigating through the summary view, stats are only offered for the past month.

When viewing stats for a particular day, the web address ends in the date you’re viewing:

StatsOLDday

This date can be edited to jump to any date in Year-Month-Day format.

What users can see my site’s stats?

All of your site’s users can see the stats: Administrators, Editors, Authors, and Contributors.

What data does Stats collect about my site’s visitors?

Stats tracks and retains the following information about your site’s visitors:

  • Post and page views
  • video plays
  • outbound link clicks
  • referring URLs and search engine terms
  • country

As part of collating the above information, Stats uses data like IP address, WordPress.com user ID (if logged in), WordPress.com username (if logged in), user agent, visiting URL, referring URL, timestamp of event, browser language, and country code. However, none of this information is available to site owners. For example, a site owner can see that a specific post has 285 views, but he/she cannot see which specific users/accounts viewed that post. Furthermore, the Stats logs, in which this information is stored, are only retained for 28 days.

What is the orange bar before some posts and pages in the stats screen?

The orange bar indicates the posts and pages published within the selected date range.

Still confused?

Contact support.

Not quite what you're looking for?

Get Help
#####EOF##### WordPress Themes | WordPress.org

WordPress.org

15
Feature Filter
Filtering by:
Edit

Layout

Features

Subject

No themes found. Try a different search.

Skip to toolbar
#####EOF##### WordPress Plugins | WordPress.org

WordPress.org

Block-Enabled Plugins

See all Block-Enabled Plugins

Builder Template Categories – for WordPress Page Builders

Organize your Page Builder Templates in the WordPress Admin. Better overview, don't get lost. Time…


David Decker - DECKERWEB 1,000+ active installations Tested with 5.1.1 Updated 23 hours ago

eBay Feeds for WordPress

Display feeds of eBay Products from eBay Partner Network on your site.


Winwar Media 2,000+ active installations Tested with 5.1.1 Updated 1 month ago

Algori 360 Video

Algori 360 Video is a Gutenberg Block Plugin that enables you add interactive 360° videos…


Kevin Bazira 100+ active installations Tested with 5.0.4 Updated 4 months ago

Featured Plugins

See all Featured Plugins

Akismet Anti-Spam

Akismet checks your comments and contact form submissions against our global database of spam to…


Automattic 5+ million active installations Tested with 5.1.1 Updated 2 months ago

Classic Editor

Enables the previous "classic" editor and the old-style Edit Post screen with TinyMCE, Meta Boxes,…


WordPress Contributors 4+ million active installations Tested with 5.1.1 Updated 1 month ago

Beta Plugins

See all Beta Plugins

Gutenberg

A new editing experience for WordPress is in the works, with the goal of making…


Gutenberg Team 200,000+ active installations Tested with 5.1.1 Updated 9 hours ago

Popular Plugins

See all Popular Plugins

Contact Form 7

Just another contact form plugin. Simple but flexible.


Takayuki Miyoshi 5+ million active installations Tested with 5.0.4 Updated 4 months ago

Akismet Anti-Spam

Akismet checks your comments and contact form submissions against our global database of spam to…


Automattic 5+ million active installations Tested with 5.1.1 Updated 2 months ago
Skip to toolbar
#####EOF##### WordPress Plugins | WordPress.org

Block-Enabled Plugins

See all Block-Enabled Plugins

WP Fusion Lite

WP Fusion connects your website to your CRM or marketing automation system.


Very Good Plugins 400+ active installations Tested with 5.0.4 Updated 2 months ago

LezWatch.TV News and Information

Display information on queer female, transgender, and non-binary representation on TV. Brought to you by…


LezWatch.TV Fewer than 10 active installations Tested with 5.1.1 Updated 1 month ago

The Events Calendar Shortcode and Templates

The Events Calendar Shortcode and Templates addon provides events shortcode block and templates for The…


Cool Plugins 5,000+ active installations Tested with 5.1.1 Updated 2 weeks ago

Coming Soon Page and Maintenance Mode for WordPress Block Editor

Creating WordPress coming soon pages should be fast & easy.


Helder Vilela from Pixelthrone 50+ active installations Tested with 5.1.1 Updated 1 month ago

Featured Plugins

See all Featured Plugins

Akismet Anti-Spam

Akismet checks your comments and contact form submissions against our global database of spam to…


Automattic 5+ million active installations Tested with 5.1.1 Updated 2 months ago

Classic Editor

Enables the previous "classic" editor and the old-style Edit Post screen with TinyMCE, Meta Boxes,…


WordPress Contributors 4+ million active installations Tested with 5.1.1 Updated 1 month ago

Beta Plugins

See all Beta Plugins

Gutenberg

A new editing experience for WordPress is in the works, with the goal of making…


Gutenberg Team 200,000+ active installations Tested with 5.1.1 Updated 10 hours ago

Popular Plugins

See all Popular Plugins

Contact Form 7

Just another contact form plugin. Simple but flexible.


Takayuki Miyoshi 5+ million active installations Tested with 5.0.4 Updated 4 months ago

Akismet Anti-Spam

Akismet checks your comments and contact form submissions against our global database of spam to…


Automattic 5+ million active installations Tested with 5.1.1 Updated 2 months ago
#####EOF##### 44CON Media Coverage – 44CON

44CON Media Coverage

The Top 50 Must-Attend Information Security Conferences (Published January 2019)

Digital Guardian announce their list of the top 50 infosec conferences happening around the world in 2019, 44CON 2019 among them


44CON Insider: The importance of collaborative efforts in cybersecurity (Published 2017-09-19)

Great write up about 44CON 2017 by Richard Morrell.

“For those who don’t know what 44CON is, the show has grown become one of the cornerstones of the UK security and technology industry. It is truly about the security troops in the trenches.”


44CON revisited: Secure Design in Software is still a new Concept (Published 2017-09-17)

Write up about 44CON 2017 by our friends at DeepSec

“So we enjoyed being at 44CON, meetings friends, and exchanging ideas about infosec. A big thanks to the crew! They made the event really smooth and worked a lot behind the scenes, so that everyone felt right at home. Looking forward to 44CON 2018!”


NewStatesman Cyber Security supplement (Published 2017-03-06)

Check for 44CON in NewStatesman Spotlight Cyber Security supplement (we’re on page 46)


The Top 50 Must-Attend Information Security Conferences (Published 2017-01-26)

Digital Guardian announce their list of the top 50 infosec conferences happening around the world in 2017, 44CON London has made the list again this year


44CON London 2016: When Hackers Meet a Corgi! (Published 2016-02-25)44CON London sign

A 44CON 2016 write up by one of our attendees.


Fancy Bears’ infiltration of WADA shows how hacking is changing (Published 2016-09-15)

For years, Fancy Bear was quiet about its infiltration activities – now it seems happy to shout from the rooftops. Sky News came to 44CON 2016 and talked to some of our speakers and sponsors.


The Top 50 Must-Attend Information Security Conferences (Published 2016-02-25)

Digital Guardian announce their list of the top 50 infosec conferences happening around the world in 2016, 44CON London among them


44CON 2015 write up by w1bble (Published 2015-09-24)44CON London sign

Post 44CON London 2015 write up and photo spread by w1bble


Risky Business #383 — Inside FireEye’s research gag (Published 2015-09-17)

A podcast from Risky Business taking a look at what happened in Germany, where FireEye sought and obtained an ex parte injunction against some security researchers over a presentation they were about to do at 44CON London 2015.


Notes from 44CON (Published 2015-09-16)

Dave Lewis, one of our speakers, talks about his experience at 44CON London 2015 and vulnerabilities disclosure.


LabTalk Episode 7: 44CON London (Published 2015-09-16)

Raytheon!Websense Podcast. In this episode Andrew Settle and Carl Leonard discuss responsible disclosure & more hot topics from this year’s 44CON London conference.


Researchers find backdoor bug in NASA rovers’ real-time OS (Published 2015-09-14)

Help Net Security reports on Yannick Formaggio‘s presentation at 44CON London 2015


Head Hacking (Published 2015-09-13)

Head hacking asked people  at 44CON LONDON 2015 what’s wrong with security and made an uplifting music video about it


 

#####EOF##### Discover | A daily selection of the best content published on WordPress, collected for you by humans who love to read.
#####EOF##### Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more. – 44CON

Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more.

Presented By: Dawid Czagan

Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this unique hands-on training!

I will discuss security bugs that I have found together with Michal Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively. To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.

The 2 day course will take place on the 27th & 28th April 2016 at the ILEC Conference Centre.

Cost is £ 1,300.00 (inc VAT). Buy your place in our shop now.

Course Syllabus

After completing this training, you will have learned about:

  • tools/techniques for effective hacking of web applications
  • non-standard XSS, SQLi, CSRF
  • RCE via serialization/deserialization
  • bypassing password verification
  • remote cookie tampering
  • tricky user impersonation
  • serious information leaks
  • browser/environment dependent attacks
  • XXE attack
  • insecure cookie processing
  • session related vulnerabilities
  • mixed content vulnerability
  • SSL strip attack
  • path traversal
  • response splitting
  • bypassing authorization
  • file upload vulnerabilities
  • caching problems
  • clickjacking attacks
  • logical flaws
  • and more…

This hands-on training was attended by security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips, government sector and it was very well-received. Recommendations can be found here (https://silesiasecuritylab.com/services/training/#opinions).

Target Audience

Pentesters, bug hunters, security researchers/consultants

What students will receive

Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What’s more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

Student Requirements

To get the most of this training basic knowledge of web application security is needed. Students should have some experience in using a proxy, such as Burp, or similar, to analyze or modify the traffic.

What to Bring

Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player installed (64-bit version). Prior to the training, make sure there are no problems with booting 64-bit VMs (BIOS settings changes may be needed).

About the Trainer

Dawid Czagan (@dawidczagan) is an internationally recognised security researcher and trainer. He is listed among Top 10 Hackers (HackerOne). Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid Czagan shares his security bug hunting experience in his very well-received hands-on training “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”. He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), Hack In Paris (Paris), DeepSec (Vienna), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (recommendations: https://silesiasecuritylab.com/services/training/#opinions).

He presented his research at Security Seminar Series (University of Cambridge), HITB GSEC (Singapore), DeepSec (Vienna) and published over 20 security articles (InfoSec Institute). Dawid Czagan is founder and CEO at Silesia Security Lab, which delivers specialised security auditing and training services. He is also Security Advisor at Future Processing.

To find out about the latest in Dawid Czagan’s work, you are invited to visit his blog and follow him on Twitter.

Buy now

#####EOF##### The White House Showcase | WordPress.org

WordPress Website Showcase

Showcase » The White House

The White House

The White House has used WordPress since December 2017, and we are happy to help the nation create their website.

#####EOF##### Create a Website with WordPress.com

You’re just a few clicks away from the website you’ve always wanted.

WordPress.com gives you everything you need to start your website today. Free hosting, your own domain, a world-class support team, and so much more.

Customize your domain name

http://

infocusphotographers.com

cortadocoffeesf.com

leahrand.com

avayoung.blog

mightyleaftearoom.com

Register a new domain
Register a domain for your site to make it easier to remember and easier to share.
Bring your own domain
Already have a domain name? Point it to your WordPress.com website in a few easy steps.
Connect your email
Use your custom domain in your email address by activating email forwarding, G Suite, or other email services.

Every feature you need to create a powerful website

Plans for any budget
Start for free and get your website running quickly. Upgrade for advanced customization and themes, additional storage space, and business tools.
Blog, website, or both
Build a blog, a full website, or a combination of both. Write about your life, build a beautiful portfolio of your work, or build a robust business site — it’s up to you.
Intuitive editor
Our editor is fast, intuitive, and includes HTML and Markdown support. We save your work every few seconds, so you’ll never miss a word.
Upload or embed media
Drag-and-drop images into posts and pages. Create designer-worthy photo galleries. Embed audio, video, documents, and more.
Optimized for growth
WordPress.com has Jetpack essential features built in, including site statistics, basic SEO, and social media sharing.
Mobile and desktop apps
Update your site from anywhere with mobile and desktop apps for iOS, Android, Mac, Windows, and Linux systems.

Pick from hundreds of themes for any kind of project

You don’t need to learn web design to create the website of your dreams.
Spatial
Dyad
Perle
Marquee
Publication
Goodz
Illustrar

People love WordPress.com logo.

I looked into what other bloggers whom I admired were using, and the Cadillac of platforms is WordPress.com, hands down. The themes are breathtaking — even the free ones! — and all of the supporting infrastructure and information is top shelf.
Alexis Kanda-Olmstead
alexiskanda-olmstead.com
It’s been a great privilege and a life-changing experience. I’m grateful to WordPress.com for providing an affordable and user-friendly platform for individuals to launch projects and be heard in this way.
Ann Morgan
ayearofreadingtheworld.com

Choose your plan

Personal

WordPress.com personal
$4

per month, billed yearly

Best for Personal Use: Boost your website with a custom domain name, and remove all WordPress.com advertising. Get access to high quality email and live chat support.

Start with Personal

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Dozens of Free Themes
  • Basic Design Customization
  • 6GB Storage Space
  • Remove WordPress.com Ads

Start with Personal

Premium

WordPress.com Premium
$8

per month, billed yearly

Best for Entrepreneurs & Freelancers: Build a unique website with advanced design tools, CSS editing, lots of space for audio and video, and the ability to monetize your site with ads.

Start with Premium

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Unlimited Premium Themes
  • Advanced Design Customization
  • 13GB Storage Space
  • Remove WordPress.com Ads
  • Simple Payments
  • Monetize your site
  • VideoPress support

Start with Premium

Business

WordPress.com Business
$25

per month, billed yearly

Best for Small Business: Power your business website with unlimited premium and business theme templates, Google Analytics support, unlimited storage, and the ability to remove WordPress.com branding.

Start with Business

  • Free Domain for One Year
  • Jetpack Essential Features
  • Email & Live Chat Support
  • Unlimited Premium Themes
  • Advanced Design Customization
  • Unlimited Storage Space
  • Remove WordPress.com Ads
  • Simple Payments
  • Monetize your site
  • VideoPress support
  • Jetpack Search
  • Attend live courses
  • SEO Tools
  • Install Plugins NEW
  • Upload themes NEW
  • Google Analytics Integration
  • Remove WordPress.com Branding

Start with Business

You asked, we answered

You can pay for your brand new WordPress.com plan, add-ons, and domains in the Store checkout using any major credit card, debit card, or PayPal.
Plans and domains renew annually and we take care of everything. We charge your account one month before the end of the subscription period. If your payment information needs updating, we’ll let you know.
Purchases made on WordPress.com can be canceled and refunded during the refund period. You can also unsubscribe at any time if you don’t want your subscription to renew.
On WordPress.com, we provide e-mail forwarding, but if you’d rather have full email hosting, you can connect another provider to your custom domain.
Absolutely. You can change your blog language, which is how your readers will experience your site and the Interface Language, which changes the admin tools language. The language you use on your blog is up to you!
Yes! You can sell individual items on your blog using your PayPal account and a button directing your readers to the PayPal payment screen. You can also publish sponsored posts or use affiliate links in your content, and apply to join WordAds, our advertising program.
Premium themes are paid themes with exciting options for customization and exclusive support from theme authors themselves. Choose the Premium Plan or Business Plan for unlimited Premium Themes.
It is possible to import your blog content from a variety of other blogging platforms, including Blogger, LiveJournal, Movable Type, Tumblr, Typepad, Xanga, and more. You can also easily import your content from a self-hosted WordPress site.

Join the network serving more than 20 billion pageviews a month

#####EOF##### WordPress Mobile Apps | WordPress.org

WordPress Mobile Apps

Devices showing the WordPress mobile app Inspiration strikes any time, anywhere. WordPress mobile apps put the power of publishing in your hands, making it easy to create and consume content. Write, edit, and publish posts to your site, check stats, and get inspired with great posts in the Reader. And of course, they’re open source, just like WordPress.

Get a Mobile App

WordPress mobile apps support WordPress.com and self-hosted WordPress.org sites running WordPress 4.0 or higher. Learn more

#####EOF##### WordPress.com
#####EOF##### Create an eCommerce Website with WordPress.com

Everything you need for a powerful, profitable site.

Create an eCommerce website with WordPress.com

WordPress.com offers a full range of eCommerce options, from one-click payment buttons to a fully customizable online store.

Start taking payments in seconds

Whether you want to sell baked goods to your neighbors or accept donations for a local organization, WordPress.com makes taking payments a breeze. Our Simple Payments button allows you to take credit or debit card payments from any page with minimal setup.

Create an online store

WordPress.com gives you all the tools you need to publish content and sell products from the same platform. Create a powerful online store and install more plugins to help you customize products, attract customers, and increase your sales.

Sell anything, anywhere

Try the most flexible WordPress eCommerce solution on the market, powering more stores than any other platform. Sell everything from physical goods to memberships to subscription boxes, and deliver it up the street or across an ocean.

With WordPress.com eCommerce, you have the freedom to create a beautiful store that meets your needs. The only limit is your imagination.

Choose your starting point

Quick and easy payments

$8 per month, billed yearly /month, billed yearly
Best for Bloggers

Build a powerful website with the ability to accept payments or donations with Simple Payments. Also includes advanced design tools, lots of space for media files, and the ability to further monetize your site with ads. Get started with WordPress.com Premium.

Start with Premium

Multi-purpose business site

$25 per month, billed yearly /month, billed yearly
Best for Small Businesses

Add an online store to your business website with the ability to sell and ship physical products. Also includes installation of custom plugins and themes, real-time concierge support, Google Analytics, and unlimited storage. Get started with WordPress.com Business.

Start with Business

eCommerce experience

$45 per month, billed yearly /month, billed yearly
Best for Dedicated eCommerce

Sell products or services with this powerful, all‑in‑one online store experience. This plan includes premium integrations and is extendable, so it’ll grow with you as your business grows.

Start with eCommerce
#####EOF##### WordPress.com Apps - Mobile Apps

WordPress at your fingertips.

Download the app:

Standard SMS rates may apply

Features

The power of publishing in your pocket

Post on the Go

Post on the Go

Publish blog updates from any corner of the globe, like travel writer Chérie King, who explores the world with her iPad and a thirst for adventure. Or draft posts from the palm of your hand: you might find writer Dave Graham editing a post on his Android phone, in a Yorkshire coffee shop in the United Kingdom.
Stats

Stats

Sneak a peek at your visitors and views on your morning commute. Track your most popular stories of the day on your lunch break. Discover where your readers come from, all around the world. Keep your finger on the pulse of your site.
Reader

Reader

Catch up with your favorite sites and join the conversation anywhere, any time — like Toronto street photographer Shane Francescut, who follows popular photography tags, browses new blog posts right in the Reader, and leaves likes and comments, all on his Android device.
Notifications

Push Notifications

Keep up with your site’s activity, even when away from your desk. Check your notifications to keep conversations flowing with your followers. Engage with the community you’ve built — with just a touch on your screen.
Jetpack Integration

Jetpack Integration

If you’re a self-hosted user with a Jetpack-powered site, like lifestyle blogger Katie Hoffman, you can publish posts and connect with readers from your device of choice. From notifications to sharing tools, you’ve got the entire WordPress community in your pocket.
#####EOF##### WordPress.com
#####EOF##### The Martha Blog Showcase | WordPress.org

WordPress Website Showcase

Showcase » The Martha Blog

The Martha Blog

The Martha Stewart blog – up close & personal

Source: www.themarthablog.com
#####EOF##### Download | WordPress.org

Get WordPress

Use the software that powers over 33% of the web.

Priceless, and also free

Download WordPress and use it on your site.

WordPress Hosting

Choosing a hosting provider can be difficult, so we have selected a few of the best to get you started.

Bluehost has turned passion for WordPress into the fastest, simplest managed platform for your websites. Recommended by WordPress since 2005, each WordPress package offers a free domain, free SSL, and 24/7 support.

Visit Bluehost

Privacy-focused and dedicated to the Open Web, DreamHost provides some of the most powerful and secure managed WordPress environments in the world.

Visit DreamHost
See all of our recommended hosts

Inspiration strikes anywhere, anytime

Create or update content on the go with our mobile apps.

Learn more about our mobile apps
#####EOF##### Blog Tool, Publishing Platform, and CMS — WordPress
Ready to get started?Download WordPress

Meet WordPress

WordPress is open source software you can use to create a beautiful website, blog, or app.

WordCamp EU 2019 in Berlin, Germany

Beautiful designs, powerful features, and the freedom to build anything you want. WordPress is both free and priceless at the same time.

Trusted by the Best

33% of the web uses WordPress, from hobby blogs to the biggest news sites online.

Powerful Features

Limitless possibilities. What will you create?

  • Customizable
    Designs
  • SEO
    Friendly
  • Responsive
    Mobile Sites
  • High
    Performance
  • Manage
    on the Go
  • High
    Security
  • Powerful
    Media Management
  • Easy and
    Accessible

Extend WordPress with over 54,000 plugins to help your website meet your needs. Add an online store, galleries, mailing lists, forums, analytics, and much more.

Community

Hundreds of thousands of developers, content creators, and site owners gather at monthly meetups in 436 cities worldwide.

Find a local WordPress community

Get Started with WordPress

Over 60 million people have chosen WordPress to power the place on the web they call “home” — join the family.

News From Our Blog

Minimum PHP Version update

WordPress 5.2 is targeted for release at the end of this month, and with it comes an update to the minimum required version of PHP. WordPress will now require a minimum of PHP 5.6.20. Beginning in WordPress 5.1, users running PHP versions below 5.6 have had a notification in their dashboard that includes information to […]

It’s Easy As…

  1. Find a Web Host and get great hosting while supporting WordPress at the same time.
  2. Download & Install WordPress with our famous 5-minute installation. Feel like a rock star.
  3. Read the Documentation and become a WordPress expert yourself, impress your friends.
#####EOF##### WordPress.com vs WordPress.org Hosting Options

Create a site with WordPress.

Build your site with the software trusted by 33% of the internet.

Get Started

Choose WordPress.com for the fastest, easiest way to start your website.

The Easiest Place to Get Started

Hosting, security, backups, and spam protection are all included. Pick from more than 300 themes, activate our powerful features inspired by the best plugins, and get a custom domain with a plan.

Start with WordPress.com

Choose a custom WordPress installation for the ultimate control over your website.

Pick from thousands of community themes and plugins and manage your own security and software updates on your preferred hosting provider. Choose optional dedicated WordPress hosting for increased performance.

Designed and built to run WordPress like a dream. Exclusive technology gives you the proven performance, reliability, and functionality you need.

Start with Bluehost

Award-winning WordPress Hosting

Sites optimized for peak performance, automatic security and backups, up to 20x daily traffic scaling, experts on call to help round the clock.

Start with DreamHost

Out of all of the hosts in the world we've chosen to recommend Bluehost and DreamHost as the two we think are best. If you sign up with one of our recommended partners we have a commercial affiliate relationship with them.

People love WordPress.com logo.

I looked into what other bloggers whom I admired were using, and the Cadillac of platforms is WordPress.com, hands down. The themes are breathtaking — even the free ones! — and all of the supporting infrastructure and information is top shelf.
Alexis Kanda-Olmstead
alexiskanda-olmstead.com
It’s been a great privilege and a life-changing experience. I’m grateful to WordPress.com for providing an affordable and user-friendly platform for individuals to launch projects and be heard in this way.
Ann Morgan
ayearofreadingtheworld.com

Need help deciding?

Learn more about each option to choose the one that’s best for you.

WordPress.com

Total simplicity — we take care of everything.

  • Build a site in minutes. We host your site, register your domain, and offer built-in plugins including automated software updates and security.

  • Choose from hundreds of beautiful designs and customize them for your business site, blog, or portfolio. If you purchased a WordPress theme elsewhere? No problem: the WordPress.com Business plan lets you install any theme you’d like.

  • Reach a wider audience and find new readers. Sync your content to Facebook and Twitter and connecting with millions of people using WordPress.com.

  • Get support right from the experts. Access documents, forums, videos, or get 1-on-1 help by e-mail or live chat.

Start with WordPress.com

WordPress.org

More control — you install and host your site.

  • Find a host, install plugins, and get your hands dirty. We can help with services like Jetpack for security and backups.

  • Have complete control over your design and code. Install and customize any WordPress theme you want or build your own with PHP and CSS.

  • Extend your site with plugins. Choose from thousands of community plugins to add features like spam protection, custom galleries, in-depth analytics, and more.

  • Find help from the wider WordPress community through support forums.

Start with Bluehost

#####EOF##### Stats — WordPress.com

Stats

A live look at activity across WordPress.com

This is a collection of stats from around WordPress.com that we’ve decided to share with the world. Interested in your own stats? Every WordPress.com blog includes an integrated stats system, also available for self-hosted WordPress sites with Jetpack.The following stats are for blogs we host here on WordPress.com, both on subdomains and their own domains, or externally-hosted blogs that use our Jetpack plugin and are part of our network.

How many people are reading blogs?

Over 409 million people view more than 20 billion pages each month.

How many posts are being published?

Users produce about 70 million new posts and 77 million new comments each month.

Who publishes on WordPress.com?

From TechCrunch to TED, CNN, and the National Football League, WordPress.com users span a broad range.

We have a publisher blog focusing on some leading WordPress sites. You can also see more notable users or view our editors’ picks at Freshly Pressed.

Where in the world is WordPress.com used?

We host WordPress blogs written in over 120 languages. Below is a breakdown of the top 10 languages:

  1. English: 71%
  2. Spanish: 4.7%
  3. Indonesian: 2.4%
  4. Portuguese (Brazil): 2.3%
  5. French: 1.5%
  6. Russian: 1.3%
  7. German: 1.2%
  8. Italian: 1%
  9. Turkish: 0.7%
  10. Dutch: 0.6%

Frequently asked questions

What topics do people write about on WordPress.com?
All of them! Check out our tags to get a glimpse (other languages: Spanish, Indonesian, French, German…).

How does WordPress compare to other publishing platforms?
It’s a somewhat subjective call, but we like this Google Trends chart comparing some of the leading platforms.

Will WordPress continue to grow?
It shows no signs of slowing down. As of 2014, tens of thousands of new WordPress sites are created every day. Blogs continue to be highly popular around the world, and we’re now seeing a trend that’s potentially even bigger: publishers are using WordPress to create all kinds of sites beyond blogs — news sites, company sites, magazines, social networks, sports sites, and more. The WordPress Showcase contains many interesting examples.

What’s the difference between WordPress.com and WordPress.org?
WordPress.com is a service that hosts WordPress blogs. WordPress.org is a community where people work on the open source WordPress software. It’s also where that software can be downloaded to be run on your own web server. Still confused? You might want to read this support document.

Do you have more public stats?
Why yes. Here’s info on embeds (posts that contain Twitter, Flickr, YouTube, Photobucket, Vimeo and more) and some miscellaneous stats (support requests, theme switches, new avatars).

#####EOF##### WordPress.com
#####EOF##### The Rolling Stones Showcase | WordPress.org

WordPress Website Showcase

Showcase » The Rolling Stones

The Rolling Stones

A 50th anniversary overhaul for the website of the World’s Greatest Rock ‘N’ Roll Band, including a complete discography managed entirely within WordPress, tightly integrated with iTunes… and the page described by Gizmodo as Probably The Greatest 404 Error Of All Time.

#####EOF##### Minimum PHP Version update — WordPress

Minimum PHP Version update

Posted April 1, 2019 by Aaron Jorbin. Filed under Development.

WordPress 5.2 is targeted for release at the end of this month, and with it comes an update to the minimum required version of PHP. WordPress will now require a minimum of PHP 5.6.20.

Beginning in WordPress 5.1, users running PHP versions below 5.6 have had a notification in their dashboard that includes information to help them update PHP. Since then, the WordPress stats have shown an increase in users on more recent versions of PHP.


Screenshot of the "PHP Update Required" widget from the WordPress dashboard. Contains information about detecting an insecure version of PHP, how it affects your site, and a link for information on upgrading.
The dashboard widget users see if running an outdated version of PHP

Why You Should Update PHP

If your site is running on an unsupported version of PHP, the WordPress updater will not offer WordPress 5.2 to your site. If you attempt to update WordPress manually, that update will fail. To continue using the latest features of WordPress you must update to a newer version of PHP.

When updating to a new version of PHP, WordPress encourages updating to its recommended version, PHP 7.3. The PHP internals team has done a great job making its most recent version the fastest version of PHP yet. This means that updating will improve the speed of your site, both for you and your visitors.

This performance increase also means fewer servers are needed to host websites. Updating PHP isn’t just good for your site, it also means less energy is needed for the 1-in-3 sites that use WordPress, so it’s good for the planet.

How to Update PHP

If you need help updating to a new version of PHP, detailed documentation is available. This includes sample communication to send to your host for them to assist you. Many hosting companies have published information on how to update PHP that is specific for them.

5.6 now, but soon 7+

This is the first increase in PHP required version for WordPress since 2010, but may not be the only increase in 2019. The WordPress core team will monitor the adoption of the most recent versions of PHP with an eye towards making PHP 7+ the minimum version towards the end of the year.

Update PHP today, so you can update WordPress tomorrow!

See Also:

For more WordPress news, check out the WordPress Planet.
There’s also a development P2 blog.
To see how active the project is check out our Trac timeline, it often has 20–30 updates per day.

Categories

Subscribe to WordPress News

Join 1,804,338 other subscribers

    #####EOF##### ILEC Conference Centre – 44CON

    ILEC Conference Centre

    One of the largest Conference-Hotels in West London, ILEC Conference Centre offers a capacious and flexible event hall at around 1500sqm in a single space as well as 5 additional syndicate rooms.

    Free secure wireless networking will be available to all attendees and sponsors in the conference area.

    The conference centre is a short walk from the West Brompton and Earls Court Underground Stations. Hyde Park, Kensington Palace and Gardens, The Royal Albert Hall, The Natural History Museum, Science and Victoria & Albert Museums are a short walk away for your security conference tourism convenience! With the rest of central London within easy reach.

    #####EOF##### WordPress.com Apps - Desktop Apps

    A desktop app that gives WordPress a permanent home in your dock.

    A desktop app that gives WordPress a permanent home in your taskbar.

    You'll need a WordPress.com login. Get one here.

    Features

    A control panel for all your WordPress sites

    Focus

    Focus on your content

    Write and design with no other browser tabs to distract you. Switch easily between managing your WordPress sites and your favorite desktop apps.
    Speed

    Speed is a feature

    The desktop app builds upon the already fast WordPress.com by bundling the entire site as a local copy. You get near-instant page-loads and less waiting around.
    Responsive

    Not one size fits all

    The WordPress.com desktop app will scale to any size. Do you need a small window on the side to keep your eye on notifications, or do want to expand to a truly full screen for a zen writing experience? Take your pick.
    #####EOF##### Blog — WordPress

    Minimum PHP Version update

    Posted April 1, 2019 by Aaron Jorbin. Filed under Development.

    WordPress 5.2 is targeted for release at the end of this month, and with it comes an update to the minimum required version of PHP. WordPress will now require a minimum of PHP 5.6.20.

    Beginning in WordPress 5.1, users running PHP versions below 5.6 have had a notification in their dashboard that includes information to help them update PHP. Since then, the WordPress stats have shown an increase in users on more recent versions of PHP.


    Screenshot of the "PHP Update Required" widget from the WordPress dashboard. Contains information about detecting an insecure version of PHP, how it affects your site, and a link for information on upgrading.
    The dashboard widget users see if running an outdated version of PHP

    Why You Should Update PHP

    If your site is running on an unsupported version of PHP, the WordPress updater will not offer WordPress 5.2 to your site. If you attempt to update WordPress manually, that update will fail. To continue using the latest features of WordPress you must update to a newer version of PHP.

    When updating to a new version of PHP, WordPress encourages updating to its recommended version, PHP 7.3. The PHP internals team has done a great job making its most recent version the fastest version of PHP yet. This means that updating will improve the speed of your site, both for you and your visitors.

    This performance increase also means fewer servers are needed to host websites. Updating PHP isn’t just good for your site, it also means less energy is needed for the 1-in-3 sites that use WordPress, so it’s good for the planet.

    How to Update PHP

    If you need help updating to a new version of PHP, detailed documentation is available. This includes sample communication to send to your host for them to assist you. Many hosting companies have published information on how to update PHP that is specific for them.

    5.6 now, but soon 7+

    This is the first increase in PHP required version for WordPress since 2010, but may not be the only increase in 2019. The WordPress core team will monitor the adoption of the most recent versions of PHP with an eye towards making PHP 7+ the minimum version towards the end of the year.

    Update PHP today, so you can update WordPress tomorrow!

    The Month in WordPress: March 2019

    Posted by Hugh Lashbrooke. Filed under Month in WordPress.

    WordPress reached a significant milestone this month. With some exciting developments in Core, an interesting new proposal, and the return of a valuable global event, March was certainly an interesting time.


    WordPress Now Powers One-Third of the Web

    WordPress’ market share has been steadily increasing, and as of halfway through this month, it powers over one-third of the top 10 million sites on the web (according to W3Techs, which tracks usage statistics for all major web platforms).

    This growth of WordPress is only made possible by the large team of volunteers working to build the project and community. If you would like to get involved in building the future of WordPress, then check out the Make network for a contributor team that fits your skill set.

    WordPress 5.2 is on the Way

    WordPress 5.1.1 was released this month, with 14 fixes and enhancements, and the Core team is now focusing on the next major release, version 5.2. This release will include some great new features, along with the latest updates to the block editor.

    One of the most anticipated new features is the improved fatal error detection – this was removed from v5.1 shortly before release so that it could be improved and made more secure for this release. Along with that, PHP 5.6 is going to become the minimum required PHP version for WordPress, a significant step towards a more modern web and updated coding standards.

    WordPress 5.2 is now in beta and you can test it by installing the Beta Tester plugin on any WordPress site.

    Want to get involved in building WordPress Core? Follow the Core team blog and join the #core channel in the Making WordPress Slack group.

    Proposal for a Central Block Directory

    With blocks becoming the new way to manage content in WordPress, more and more types of blocks are being developed to cater for different use cases and content types. In an effort to make it easier for content creators to find these block types, there is a proposal for a new type of plugin and a directory to handle it.

    The proposal outlines a new type of WordPress plugin that provides blocks and nothing else, named Single Block Plugins. The primary benefit would be to provide content creators with individual pieces of functionality and new types of blocks without the need to search for and install new plugins.

    The Single Block Plugins would be hosted in a separate Block Directory section of the Plugin Directory and they would initially be JavaScript-based. Each plugin will register a single block, and they will be searchable and installable from within the editor itself. This puts blocks at the publishers’ fingertips — you no longer have to leave the editor to find them.

    Want to get involved in shaping this new type of plugin? Join in the conversation on the proposal post, follow the Meta team blog, and join the #meta channel in the Making WordPress Slack group.

    Global WordPress Translation Day is Back

    On 11 May 2019, the fourth Global WordPress Translation Day will take place. This is a 24-hour global event dedicated to the translation of all things WordPress, from core to themes, plugins to marketing.

    Over the course of 24 hours, WordPress communities will meet to translate WordPress into their local languages and watch talks and sessions broadcast on wptranslationday.org. During the last Global WordPress Translation Day, 71 local events took place in 29 countries, and even more communities are expected to take part this time.

    Want to get involved in the Global WordPress Translation Day? Find out how to organize a local event, apply to be a speaker, follow the updates on the Polyglots team blog, and join the #polyglots channel in the Making WordPress Slack group.

    Gutenberg Development Continues

    With the block editor in WordPress Core, the team has been able to focus on adding some frequently requested features. Version 5.3 of Gutenberg,  released this month, includes a new block manager modal, the ability to nest different elements in the cover block, and some UI tweaks to improve the hover state of blocks.

    Want to get involved in developing Gutenberg? Check out the GitHub repository and join the #core-editor channel in the Making WordPress Slack group.


    Further Reading:

    Have a story that we should include in the next “Month in WordPress” post? Please submit it here.

    WordPress 5.2 Beta 1

    Posted March 27, 2019 by Josepha. Filed under Development, Releases.

    WordPress 5.2 Beta 1 is now available!

    This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site to play with the new version.

    You can test the WordPress 5.2 Beta two ways:

    WordPress 5.2 is slated for release on April 30, and we need your help to get there. Here are some of the big items to test so we can find as many bugs as possible in the coming weeks.

    Block Editor

    The block editor has received significant performance improvements since WordPress 5.1, shaving 35% off the load time for massive posts, and cutting the keypress time (how responsive it feels when you’re typing) in half!

    Accessibility continues to improve, too. The block editor now supports your browser’s reduced motion settings. The post URL slug has better labelling and help text. The focus styling for keyboard navigating through landmarks is clearer and more consistent. There are a variety of new speak messages, and existing messages have been tweaked for more useful screen-reader behaviour.

    We’ve added several new blocks:

    • An RSS block
    • An Amazon Kindle embed block
    • A Search block
    • A Calendar block
    • A Tag Cloud block

    To help you keep track of these blocks, and only show the ones you need, there’s a new block management tool to switch blocks on and off.

    Block Management Modal

    We’re constantly working on existing blocks, too. There are hundreds of bug fixes and improvements in the block editor, you can read more about them in the Gutenberg plugin releases: 4.9, 5.0, 5.1, 5.2, and 5.3.

    The WordPress Mobile Apps

    The block editor isn’t just for websites, either. The WordPress mobile apps now include an experimental version of a built-in block editor. This is still under development, but you can try it out now!

    Site Health Check

    Site Health Check is an ongoing project aimed at improving the stability and performance of the entire WordPress ecosystem.

    The first phase of this project (originally scoped for WordPress 5.1) is now included in WordPress 5.2. For the first time, WordPress will catch and pause the problem code, so you can log in to your Dashboard and see what the problem is (#44458). Before, you’d have to FTP in to your files or get in touch with your host.

    In addition, we’re adding a new Health Check tool to your Dashboard. Visit the Tools menu and click on Health Check to get information that can help improve the speed and security of your site.

    PHP Version Bump

    With this release, WordPress will increase its minimum supported PHP version to 5.6. To help you check if you’re prepared for this change, WordPress 5.2 will show you a warning and help you upgrade your version of PHP, if necessary.

    For Developers

    • Plugins can now specify the minimum version of PHP that they support, so you can safely modernise your development practices without risking breaking your users’ sites. (#40934)
    • We’ve added the sodium_compat library, which provides backwards compatibility for the Sodium-based cryptography library added in PHP 7.2. (#45806)
    • There’s a new release of Dashicons, the WordPress Dashboard icon font. There are 25 new icons for you to use! (#41074)
    • You can now pass a label to get_search_form(), improving accessibility. (#42057)

    There have been 130 tickets closed in WordPress 5.2 so far, with numerous small bug fixes and improvements to help smooth your WordPress experience.

    Keep your eyes on the Make WordPress Core blog for developer notes (which are assigned the dev-notes tag) in the coming weeks detailing other changes in 5.2 that you should be aware of.

    How to Help

    Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

    If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.


    With each new release,
    bearing multiple betas;
    We fix, then we fly.

    One-third of the web!

    Posted March 15, 2019 by Joost de Valk. Filed under General.

    WordPress now powers over 1/3rd of the top 10 million sites on the web according to W3Techs. Our market share has been growing steadily over the last few years, going from 29.9% just one year ago to 33.4% now. We are, of course, quite proud of these numbers!

    The path here has been very exciting. In 2005, we were celebrating 50,000 downloads. Six years later, in January 2011, WordPress was powering 13.1% of websites. And now, early in 2019, we are powering 33.4% of sites. Our latest release has already been downloaded close to 14 million times, and it was only released on the 21st of February.

    Graph showing the growth of WordPress market share relative to other CMS's like Joomla, Drupal and others. Starting at just over 10% in January 2011 to 33.4% now.
    WordPress market share on the rise over the last 8 years. Image source: W3Techs.

    Over the years WordPress has become the CMS of choice for more and more people and companies. As various businesses use WordPress, the variety of WordPress sites grows. Large enterprise businesses all the way down to small local businesses: all of them use WordPress to power their site. We love seeing that and we strive to continuously make WordPress better for all of you.

    We’d like to thank everyone who works on WordPress, which is built and maintained by a huge community of volunteers that has grown alongside the CMS. This incredible community makes it possible for WordPress to keep growing while still also remaining free. And of course, we’d like to thank all of you using WordPress for using it and trusting in it. To all of you: let’s celebrate!

    WordPress 5.1.1 Security and Maintenance Release

    Posted March 12, 2019 by Luke Carbis. Filed under Releases, Security.

    WordPress 5.1.1 is now available! This security and maintenance release introduces 14 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in 5.2.

    This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. With a maliciously crafted comment, a WordPress post was vulnerable to cross-site scripting.

    WordPress versions 5.1 and earlier are affected by these bugs, which are fixed in version 5.1.1. Updated versions of WordPress 5.0 and earlier are also available for any users who have not yet updated to 5.1.

    Props to Simon Scannell of RIPS Technologies who discovered this flaw independent of some work that was being done by members of the core security team. Thank you to all of the reporters for privately disclosing the vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.

    Other highlights of this release include:

    • Hosts can now offer a button for their users to update PHP.
    • The recommended PHP version used by the “Update PHP” notice can now be filtered.
    • Several minor bug fixes.

    You can browse the full list of changes on Trac.

    WordPress 5.1.1 was a short-cycle maintenance release. Version 5.1.2 is expected to follow a similar two week release cadence.

    You can download WordPress 5.1.1 or visit Dashboard → Updates and click Update Now. Sites that support automatic background updates have already started to update automatically.

    In addition to the security researcher mentioned above, thank you to everyone who contributed to WordPress 5.1.1:

    Aaron Jorbin, Alex Concha, Andrea Fercia, Andy Fragen, Anton Vanyukov, Ben Bidner, bulletdigital, David Binovec, Dion Hulse, Felix Arntz, Garrett Hyder, Gary Pendergast, Ian Dunn, Jake Spurlock, Jb Audras, Jeremy Felt, Johan Falk, Jonathan Desrosiers, Luke Carbis, Mike Schroder, Milan Dinić, Mukesh Panchal, Paul Biron, Peter Wilson, Sergey Biryukov, and Weston Ruter.

    The Month in WordPress: February 2019

    Posted March 1, 2019 by Hugh Lashbrooke. Filed under Month in WordPress.

    A new version of WordPress, significant security enhancements, important discussions, and much more – read on to find out what has been going on in the WordPress community for the month of February.


    Release of WordPress 5.1

    Near the end of the month, WordPress 5.1 was released, featuring significant stability and performance enhancements as well as the first of the Site Health mechanisms that are in active development. Most prominent is the new warning for sites running long-outdated versions of PHP.

    You can check out the Field Guide for this release for a detailed look at all the new features and improvements. The next release is already in development with plans to improve the Site Health features, PHP compatibility, and a number of other things.

    Want to get involved in testing or building WordPress Core? You can install the WordPress Beta Tester plugin, follow the Core team blog, and join the #core channel in the Making WordPress Slack group.

    Gutenberg Development Continues

    The block editor that is now a part of WordPress core started out as a project named Gutenberg with the lofty goal of creating a whole new site-building experience for all WordPress users. The first phase of Gutenberg resulted in the block editor that was included in WordPress 5.0, but development didn’t stop there – phase 2 of the project is well underway.

    This month, one of the initial goals for this phase was reached with all of the core WordPress widgets being converted to blocks – this will go a long way to allowing full sites to be built using blocks, rather than simply post or page content.

    Want to get involved in developing Gutenberg? Check out the GitHub repository and join the #core-editor channel in the Making WordPress Slack group.

    Block Editor Comes to the Mobile Apps

    As Gutenberg development continues, the Mobile team has been working hard to integrate the new block editor into the WordPress mobile apps. Near the end of February, the team shipped a complete integration in the beta versions of the apps – this a significant milestone and a big step towards unifying the mobile and desktop editing experiences.

    Both the iOS and Android apps are open for beta testers, so if you would like to experience the block editor on mobile today, then join the beta program.

    Want to get involved in developing the WordPress mobile apps? Follow the Mobile team blog, and join the #mobile channel in the Making WordPress Slack group.

    WordPress Triage Team Announced

    One of the goals for 2019 that Matt Mullenweg (@matt) announced in his State of the Word address last year was to form a team who would work to manage the ever-increasing number of tickets in Trac, the bug tracker that WordPress Core employs.

    This team, known as the Triage Team, has been announced. Their work will involve coordinating with component maintainers, release leads, project leadership, contributors, and other WordPress related projects with issue trackers outside of Trac to ensure that everyone is empowered to focus on contributing.

    The team was formed based on nominations of volunteers to take part and will be led by Jonathan Desrosiers (@desrosj). The other members of the team are Chris Christoff (@chriscct7), Tammie Lister (@karmatosed), Sergey Biryukov (@sergey), and Sheri Bigelow (@designsimply) – all of whom have a strong track record of contributing to WordPress, have exhibited good triaging practices, and are overall good community members.


    Further Reading:

    Have a story that we should include in the next “Month in WordPress” post? Please submit it here.

    WordPress 5.1 “Betty”

    Posted February 21, 2019 by Matt Mullenweg. Filed under Releases.

    A Little Better Every Day

    Version 5.1 of WordPress, named “Betty” in honour of acclaimed jazz vocalist Betty Carter, is available for download or update in your WordPress dashboard.

    Following WordPress 5.0 — a major release which introduced the new block editor — 5.1 focuses on polish, in particular by improving the overall performance of the editor. In addition, this release paves the way for a better, faster, and more secure WordPress with some essential tools for site administrators and developers.

    Site Health

    With security and speed in mind, this release introduces WordPress’s first Site Health features. WordPress will start showing notices to administrators of sites that run long-outdated versions of PHP, which is the programming language that powers WordPress.

    When you install new plugins, WordPress’s Site Health features will check them against the version of PHP you’re running. If the plugin requires a version that won’t work with your site, WordPress will keep you from installing that plugin.

    Editor Performance

    Introduced in WordPress 5.0, the new block editor continues to improve. Most significantly, WordPress 5.1 includes solid performance improvements within the editor. The editor should feel a little quicker to start, and typing should feel smoother.

    Expect more performance improvements in the next couple of releases.


    Developer Happiness

    Multisite Metadata

    5.1 introduces a new database table to store metadata associated with sites and allows for the storage of arbitrary site data relevant in a multisite / network context.

    Cron API

    The Cron API has been updated with new functions to assist with returning data and includes new filters for modifying cron storage. Other changes in behavior affect cron spawning on servers running FastCGI and PHP-FPM versions 7.0.16 and above.

    New JS Build Processes

    WordPress 5.1 features a new JavaScript build option, following the large reorganisation of code that started in the 5.0 release.

    Other Developer Goodness

    Miscellaneous improvements include:

    • Updates to values for the WP_DEBUG_LOG constant
    • New test config file constant in the test suite, new plugin action hooks
    • Short-circuit filters for wp_unique_post_slug(), WP_User_Query, and count_users()
    • A new human_readable_duration function
    • Improved taxonomy metabox sanitization
    • Limited LIKE support for meta keys when using WP_Meta_Query
    • A new “doing it wrong” notice when registering REST API endpoints

    …and more!


    The Squad

    This release was led by Matt Mullenweg, along with Gary Pendergast as Senior Code Reshuffler and Poet. They received wonderful assistance from the following 561 contributors for this release, 231 of whom were making their first ever contribution! Pull up some Betty Carter on your music service of choice, and check out some of their profiles:

    0x6f0, 1265578519, 1naveengiri, 360zen, aardrian, Aaron Jorbin, Abdullah Ramzan, Abhay Vishwakarma, Abhijit Rakas, Achal Jain, achbed, Adam Silverstein, Ajit Bohra, Alain Schlesser, aldavigdis, alejandroxlopez, Alex, Alex Concha, Alex Shiels, Alexander Botteram, Alexandru Vornicescu, alexgso, allancole, Allen Snook, Alvaro Gois dos Santos, Ana Cirujano, Anantajit JG, Andrea Fercia, Andrea Gandino, Andrea Middleton, andrei0x309, andreiglingeanu, Andrew Duthie, Andrew Lima, Andrew Nacin, Andrew Nevins, Andrew Ozz, Andrey Savchenko, Andrés Maneiro, Andy Fragen, Andy Meerwaldt, Angelika Reisiger, Antal Tettinger, antipole, Anton Timmermans, Anton Vanyukov, Antonio Villegas, antonioeatgoat, Anwer AR, Arun, Ashar Irfan, ashokrd2013, Aumio, Ayesh Karunaratne, Ayub Adiputra, Barry Ceelen, Behzod Saidov, Ben Byrne, benhuberman, Benoit Chantre, benvaassen, Bhargav Mehta, bikecrazyy, Birgir Erlendsson, BjornW, Blair jersyer, Blobfolio, bobbingwide, boblinthorst, Boone Gorges, Boro Sitnikovski, Brad Parbs, Bradley Taylor, bramheijmink, Brandon Kraft, Brandon Payton, Brent Swisher, Brian Richards, bridgetwillard, Brooke., bruceallen, bulletdigital, Burhan Nasir, Bytes.co, Caleb Burks, Calin Don, campusboy, carolinegeven, ccismaru, chasewg, Chetan Prajapati, Chouby, ChriCo, chriscct7, Christopher Spires, claudiu, Clifford Paulick, Code Clinic, codegrau, coleh, conner_bw, Corey McKrill, croce, Csaba (LittleBigThings), Cyrus Collier, Daniel Bachhuber, Daniel James, Daniel Koskinen, Daniel Richards, Daniele Scasciafratte, danimalbrown, Danny Cooper, Danny de Haan, Darko A7, Darren Ethier, Dave Pullig, David A. Kennedy, David Anderson, David Binovec, David Cramer, David Herrera, David Lingren, David Shanske, David Stone, dekervit, Denis Yanchevskiy, Dennis Snell, designsimply, dfangstrom, Dhanendran, Dharmesh Patel, Dhaval kasavala, Dhruvin, DiedeExterkate, Dilip Bheda, dingo-d, Dion Hulse, dipeshkakadiya, Dominik Schilling, Donncha O Caoimh, dontstealmyfish, Drew Jaynes, Drivingralle, dschalk, dsifford, dyrer, eamax, eArtboard, edo888, ElectricFeet, Ella Van Durpe, Emil Dotsev, Eric Andrew Lewis, Eric Daams, Erich Munz, Erick Hitter, ericmeyer, etoledom, Evan Solomon, Faisal Alvi, Felipe Elia, Felix Arntz, Fernando Claussen, flipkeijzer, Florian TIAR, FPCSJames, Frank Klein, fuchsws, fullyint, Gabriel Maldonado, Gareth, Garrett Hyder, Gary Jones, Gennady Kovshenin, Gerhard Potgieter, Girish Panchal, GM_Alex, gnif, graymouser, greg, Grzegorz Ziółkowski, Guido, GutenDev ✍㊙, Hafiz Rahman, Hai@LiteSpeed⚡, Hans-Christiaan Braun, Hardeep Asrani, Hardik Amipara, Harsh Patel, haruharuharuby, Heather Burns, Helen Hou-Sandi, Henry Wright, Herre Groen, Hitendra Chopda, Ian Belanger, Ian Dunn, ibantxillo, Ignacio Cruz Moreno, Igor, Igor Benic, imath, ionvv, Irene Strikkers, isabel104, ishitaka, Ivan Mudrik, J.D. Grimes, Jack Reichert, Jacob Peattie, Jake Spurlock, James Nylen, janak Kaneriya, janalwin, Janki Moradiya, janthiel, Jason Caldwell, javorszky, Jaydip Rami, Jayman Pandya, Jb Audras, Jeff Farthing, Jeffrey de Wit, Jeffrey Paul, Jennifer M. Dodd, Jenny, Jeremey, Jeremy Felt, Jeremy Herve, Jeremy Pry, Jeremy Scott, Jesper V Nielsen, Jesse Friedman, Jimmy Comack, Jip Moors, Jiri Hon, JJJ, joanrho, Job, Joe Bailey-Roberts, Joe Dolson, Joe Hoyle, Joe McGill, Joel James ❤️, Joen Asmussen, Johan Falk, John Blackbourn, John Godley, johnalarcon, johnpgreen, johnschulz, Jonathan Champ, Jonathan Desrosiers, joneiseman, Jonny Harris, Joost de Valk, Jorge Costa, Joseph Scott, JoshuaWold, Joy, jpurdy647, jrdelarosa, jryancard, Juhi Patel, Julia Amosova, juliemoynat, Juliette Reinders Folmer, Junaid Ahmed, Justin Sainton, Justin Sternberg, Justin Tadlock, K.Adam White, kapteinbluf, keesiemeijer, Kelly Dwan, kelvink, khaihong, Kiran Potphode, Kite, Kjell Reigstad, kkarpieszuk, kmeze, Knut Sparhell, konainm, Konstantin Obenland, Konstantinos Xenos, kristastevens, krutidugade, laghee, Laken Hafner, Lance Willett, laurelfulford, lbenicio, Leander Iversen, leemon, lenasterg, lisannekluitmans, lizkarkoski, Luca Grandicelli, LucasRolff, luciano-croce, Luke Carbis, Luminus, Mário Valney, maartenleenders, macbookandrew, Maja Benke, Mako, mallorydxw-old, Manuel Augustin, manuel_84, Marc Nilius, marcelo2605, Marco Martins, marco.marsala, Marcus Kazmierczak, marcwieland95, Marius L. J., mariusvw, Mariyan Belchev, Mark Jaquith, Mathieu Sarrasin, mathieuhays, Matt Cromwell, Matt Gibbs, Matt Martz, Matthew Boynes, Matthew Riley MacPherson, mattyrob, mcmwebsol, Mel Choyce, mensmaximus, mermel, metalandcoffee, Micah Wood, Michael Nelson, Michiel Heijmans, Migrated to @sebastienserre, Miguel Fonseca, Miguel Torres, mihaiiceyro, mihdan, Mike Gillihan, Mike Jolley, Mike Schroder, Milan Dinić, Milan Ivanovic, Milana Cap, Milind More, mirkoschubert, Monika Rao, Monique Dubbelman, moto hachi ( mt8.biz ), mrmadhat, Muhammad Kashif, Mukesh Panchal, MultiformeIngegno, munyagu, MyThemeShop, mzorz, nadim0988, nandorsky, Naoki Ohashi, Naoko Takano, nataliashitova, Nate Allen, Nathan Johnson, ndavison, Ned Zimmerman, Nextendweb, Nick Diego, Nick Halsey, Nick Momrik, Nick the Geek, Nicolas Figueira, Nicolas GUILLAUME, Nicolle Helgers, Nidhi Jain, Niels Lange, Nikhil Chavan, Nilambar Sharma, Noam Eppel, notnownikki, odyssey, Omar Reiss, Omkar Bhagat, Ov3rfly, Paal Joachim Romdahl, palmiak, panchen, parbaugh, Parham Ghaffarian, Pascal Birchler, Pascal Casier, Paul Bearne, Paul Biron, Paul Paradise, Paul Schreiber, Perdaan, Peter Putzer, Peter Wilson, Petter Walbø Johnsgård, Pierre Saïkali, Pieter Daalder, Piyush Patel, poena, Pramod Jodhani, Prashant Baldha, Pratik, Pratik K. Yadav, precies, Presskopp, Presslabs, PressTigers, programmin, Punit Patel, Purnendu Dash, Qucheng, Rachel Baker, Rachel Cherry, Rachel Peter, Rafsun Chowdhury, Rahul Prajapati, Raja Mohammed, Ramanan, Rami Yushuvaev, Ramiz Manked, ramonopoly, RavanH, redcastor, remyvv, rensw90, rhetorical, Riad Benguella, Rian Rietveld, Richard Tape, Ricky Lee Whittemore, Rinku Y, Rishi Shah, Robbie, robdxw, Robert Anderson, Robin Cornett, Robin van der Vliet, Ryan McCue, Ryan Paul, Ryan Welcher, ryotsun, Sébastien SERRE, Saša, sagarnasit, Sami Ahmed Siddiqui, Sami Keijonen, Samuel Wood (Otto), sarah semark, Sayed Taqui, Scott Lee, Scott Reilly, Sean Hayes, Sebastian Kurzynoswki, Sebastian Pisula, Sergey Biryukov, Shamim Hasan, Shane Eckert, Sharaz Shahid, Shashwat Mittal, Shawn Hooper, sherwood, Shital Marakana, Shiva Poudel, Simon Prosser, sjardo, skoldin, slilley, slushman, Sonja Leix, sonjanyc, Soren Wrede, spartank, spyderbytes, Stanimir Stoyanov, Stanko Metodiev, stazdotio, Stephen Edgar, Stephen Harris, stevenlinx, Storm Rockwell, Stoyan Kostadinov, strategio, Subrata Sarkar, Sultan Nasir Uddin, swift, Takahashi Fumiki, Takayuki Miyauchi, Tammie Lister, Taylor Lovett, teddytime, Terri Ann, terwdan, tharsheblows, ThemeZee, Thomas Patrick Levy, Thomas Vitale, thomaswm, Thorsten Frommen, Thrijith Thankachan, Tiago Hillebrandt, tigertech, Tim Havinga, Tim Hengeveld, Timmy Crawford, Timothy Jacobs, titodevera, Tkama, Tobias Zimpel, Tom J Nowell, TomHarrigan, Tommy Ferry, tonybogdanov, Tor-Bjorn Fjellner, TorontoDigits, Toshihiro Kanai, Towhidul Islam, transl8or, Ulrich, upadalavipul, Usman Khalid, Utsav tilava, uttam007, Vaishali Panchal, Valérie Galassi, valchovski, vishaldodiya, vnsavage, voneff, vortfu, warmlaundry, wbrubaker, Weston Ruter, Will Kwon, William Earnhardt, williampatton, wpzinc, xhezairi, Yahil Madakiya, Yoav Farhi, Yui, YuriV, Zane Matthew, and zebulan.

    Finally, thanks to all the community translators who worked on WordPress 5.1. Their efforts bring WordPress 5.1 fully translated to 34 languages at release time, with more on the way.

    If you want to follow along or help out, check out Make WordPress and our core development blog.

    Thanks for choosing WordPress!

    WordPress 5.1 RC2

    Posted February 19, 2019 by Gary Pendergast. Filed under Development, Releases.

    The second release candidate for WordPress 5.1 is now available!

    WordPress 5.1 will be released on Thursday, February 21, but we need your help to get there—if you haven’t tried 5.1 yet, now is the time!

    There are two ways to test the WordPress 5.1 release candidate: try the WordPress Beta Tester plugin (you’ll want to select the “bleeding edge nightlies” option), or you can download the release candidate here (zip).

    For details about what to expect in WordPress 5.1, please see the first release candidate post.

    This release includes the final About page design. It also contains fixes for:

    • New WordPress installs not setting the database table prefix correctly (#46220).
    • A HTTP error occurring when opening browser developer tools (#46218).
    • The legacy media dialog having incorrect pagination link styling (#41858).
    • The comment form not appearing when clicking “Reply” on comments loaded via Ajax (#46260).

    Plugin and Theme Developers

    Please test your plugins and themes against WordPress 5.1 and update the Tested up to version in the readme to 5.1. If you find compatibility problems, please be sure to post to the support forums so we can figure those out before the final release.

    The WordPress 5.1 Field Guide has also been published, which goes into the details of the major changes.

    How to Help

    Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

    If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.


    WordPress Five Point One:
    It’s so slick, shiny, and new.
    Lands in a few days!

    WordPress 5.1 Release Candidate

    Posted February 8, 2019 by Gary Pendergast. Filed under Development, Releases.

    The first release candidate for WordPress 5.1 is now available!

    This is an important milestone, as the release date for WordPress 5.1 draws near. “Release Candidate” means that the new version is ready for release, but with millions of users and thousands of plugins and themes, it’s possible something was missed. WordPress 5.1 is scheduled to be released on Thursday, February 21, but we need your help to get there—if you haven’t tried 5.1 yet, now is the time!

    There are two ways to test the WordPress 5.1 release candidate: try the WordPress Beta Tester plugin (you’ll want to select the “bleeding edge nightlies” option), or you can download the release candidate here (zip).

    What’s in WordPress 5.1?

    Inspired by Archie Bell & The Drells, WordPress’s theme for 2019 is to “tighten up”, and WordPress 5.1 focussed on exactly that.

    With security and speed in mind, this release introduces WordPress’s first Site Health features. WordPress will start showing notices to administrators of sites that run long-outdated versions of PHP, which is the programming language that powers WordPress.

    Furthermore, when installing new plugins, WordPress’s Site Health features will check whether a plugin requires a version of PHP incompatible with your site. If so, WordPress will prevent you from installing that plugin.

    The new block editor has kept improving since its introduction in WordPress 5.0. Most significantly, WordPress 5.1 includes solid performance improvements within the editor. The editor should feel a little quicker to start, and typing should feel smoother. There are more features and performance improvements planned in upcoming WordPress releases, you can check them out in the Gutenberg plugin.

    Plugin and Theme Developers

    Please test your plugins and themes against WordPress 5.1 and update the Tested up to version in the readme to 5.1. If you find compatibility problems, please be sure to post to the support forums so we can figure those out before the final release.

    The WordPress 5.1 Field Guide has also been published, which goes into the details of the major changes.

    How to Help

    Do you speak a language other than English? Help us translate WordPress into more than 100 languages! This release also marks the hard string freeze point of the 5.1 release schedule.

    If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.


    This is my release
    candidate. There are many
    like it. This is mine.

    The Month in WordPress: January 2019

    Posted February 4, 2019 by Hugh Lashbrooke. Filed under Month in WordPress.

    The momentum from December’s WordPress 5.0 release was maintained through January with some big announcements and significant updates. Read on to find out what happened in the WordPress project last month.


    WordPress Leadership Grows

    In a milestone announcement this month, WordPress project lead, Matt Mullenweg (@matt), named two individuals who are coming on board to expand the leadership team of the project.

    As Executive Director, Josepha Haden (@chanthaboune) will oversee all the contribution teams across the project. As Marketing & Communications Lead, Joost de Valk (@joostdevalk) will lead the Marketing team and generally oversee improvements to WordPress.org.

    Both Josepha and Joost have contributed to the WordPress project for many years and will certainly have a much larger impact going forward in their new roles.

    WordPress 5.1 Development Continues

    Immediately after the 5.0 release of WordPress, work started on version 5.1 with some highly anticipated new features coming out in the first beta release. Since then, the second and third betas have been made available.

    One of the core updates in this release — a feature to improve the way in which WordPress handles PHP errors — has been pushed back to version 5.2 due to unforeseen issues that would have caused significant delays to the 5.1 release.

    Want to get involved in testing or building WordPress Core? You can install the WordPress Beta Tester plugin, follow the Core team blog, and join the #core channel in the Making WordPress Slack group.


    Further Reading:

    Have a story that we should include in the next “Month in WordPress” post? Please submit it here.

    Older Posts »

    See Also:

    For more WordPress news, check out the WordPress Planet.
    There’s also a development P2 blog.
    To see how active the project is check out our Trac timeline, it often has 20–30 updates per day.

    Categories

    Subscribe to WordPress News

    Join 1,804,338 other subscribers

      #####EOF##### Something, something this way blogs – Observations of a Digitally Enlightened Mind

      RSA Announces End of RSA Security Conference

      Aims to bring clarity to cloudy marketing messages through exhibit hall chotskies

      Bedford, MA., – April 1, 2014 – RSA, the security division of EMC, today announced their intentions to end the popular RSA security conference and establish a new cloud-security, cloud-only conference.

      RSA plans to leverage the increasing popularity and VC spending on cloud-security companies to refocus their security conference efforts on all things cloud-security. “We just felt that since 90% of the security vendors are using cloud logos in their marketing literature that we could better serve the security community by adopting the same tactics.” Said Alex Bender, General Manager of RSA Conference. “For over a decade RSA has provided the security community with a cutting edge conference experience unmatched in the industry, but we also need to recognize that the security industry has become cloudy and if we want to maintain our competitive conference advantage we also needed to get cloudy.” Alex went on to add “who knows maybe we will scrap this whole thing for a advanced security analytics only conference in the next couple of years, that noise is making the rounds as well.”

      “Honestly I’m not sure what any of this has to do with nephrology, we have been researching clouds for decades and I still do not quite get the connection between information technology and changes in atmospheric CO2 leading to changes in global climate models – but wow do those cloud-security companies raise a ton of money.” Stated Berkeley Labs Scientist David Romp “A cloud may look like just a billowing mass of air, but cloud dynamics in fact involves complicated physics. IT clouds are just a bunch of interconnected tubes or something.”

      RSA will officially announce the new RSA Cloud Security Conference at EMC’s IT technology conference EMC world in Las Vegas.

      About RSA Conference

      RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. We help the world’s leading organizations (including 90 percent of the Fortune 500) succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, providing compliance and securing virtual and cloud environments.

      Combining business-critical controls in identity assurance, encryption and key management, SIEM, Data Loss Prevention and Fraud Protection with industry-leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated

      FORWARD-LOOKING STATEMENTS: This press release contains forward-looking statements within the meaning of U.S. federal securities laws, including expectations regarding the closing of HP’s acquisition of Symantec and the integration, or lack thereof, of its products and technologies into HP’s products and solutions, that involve known and unknown risks and uncertainties that may cause actual results to differ materially from those expressed or implied in this press release. Such risk factors include, among others, satisfaction of closing conditions to the transaction, our ability to successfully integrate the merged businesses and technologies, and customer demand for the technologies and integrated product offerings. Actual results may differ materially from those contained in the forward-looking statements contained in this press release. Additional information concerning these and other risk factors is contained in the Risk Factors sections of HP’s and Symantec’s most recently filed Forms 10-K and 10-Q. HPassumes no obligation to update any forward-looking statement contained in this press release.

      Advertisements

      Red Dawn: Unit 61398 – Now What?

      chinesehackers

      Some of my ‘so-called’ friends that help organize the RSA Security Bloggers event have decided that folks that attend should actually have blogged something recently, well I haven’t so to make them happy…

      With the increasing frequency and severity of advanced threats perpetrated by highly-organized and sophisticated groups and nation-states, enterprises need to realize that they are either compromised or will be soon. Traditional techniques need to be augmented with more sophisticated and exhaustive methods to provide visibility into all aspects of the internal environment – this requires continuous monitoring and analysis of all ingress and egress traffic patterns from every host on the network regardless of the source, destination or type of traffic.

      There are 5 key initiatives that every organization should implement:

      1. Invest in security professionals that have strong experience with forensic investigation and incident response
      2. Implement incident response programs that complement and extend current prevention approaches to information security
      3. Deploy network security technologies that provide deep visibility into the state of the internal network and can collect, analyze and archive massive amounts of all network flow data
      4. Ensure network monitoring solutions integrate with existing network security tools, such as IDS/IPS, SIEM, and firewalls
      5. Make security awareness throughout the organization an ongoing element of the information security program

      Brevity is a gift shared by very few in the security industry =)

      20 Years in Infosec; Time to Party like its *1999

      I am not a big fan of AT&T (here), but this video from AT&T released in 1990 is about the most insightful view into modern day infosec I’ve ever seen (here) and since it was produced pre-brick walls on fire and simple clouds to depict complex relationships it is more believable than most security marketing crap.

      Neat story;

      We began homeschooling this year – why? convictions, ideals, teaching to excellence versus teaching to the medium – as part of this the boys (11 & 13) are to keep up with current affairs of their choosing. My older son was quite intrigued by a story in the Economist about **Iran, something about how if they are bombed it would only slow down their nuclear ambitions, not destroy them, and worse it would dramatically increase global crankiness.

      As he was sitting down to prepare his report I received an email from a reporter in Azerbaijan asking for comment on Iran’s cyber-security capabilities, especially as it relates to their nuclear program…a topic I am uniquely unqualified to comment on, but here nor there…so the other morning my son read his report, which included  his dad’s quotes from the Azerbaijani article. As a father it’s cool to draw the world full-circle like that, but the the entire experience made me feel really old and reminded me that a new generation of folks needs to be mentored and enabled.

      * why would a disciple of the eternal order of the packet want to party like its 1999?

      Perhaps 1999 was the first year that folks actually believed they could make a difference or more likely that was the year that the majority of security products in use today had all been invented by, since then its been a three-way battle between fail, bravado, and dreams deferred to produce iterations of the previously invented, but really nothing new

      ** disclaimer: I know very little about making money (or Iran), but the markets will be impacted as western powers continue to intentionally spread democracy across the Middle East, do with that information what you will

      Searching for Privacy in a World Without Secrets

      “I am not a number, I am a free man”

      IDC reported that we generated and replicated 1.8 zettabytes – that’s 1.8 trillion gigabytes – of data in 2011. To give you an example of scale you would need to stack CDs from Earth to the Moon and Back again – twice – to represent that amount of data and its expected to grow 50x by 2020. Interesting factoid: Through April of 2011 the Library of Congress had stored 235TBs of data. In 2011 15 out of 17 sectors in the US have more data per company than the US Library of Congress, much of that data is about you.

      Facebook is preparing to raise $100 billion, yes a hundred billion, in a highly anticipated IPO next spring. Twitter is valued at $10 billion, and social media companies are pulling massive valuations. In terms of data, roughly 4 billion pieces of content are shared on Facebook every day, and Twitter registered 177 million tweets per day in March of 2011. The success of these companies, and many others, is trade in human commodity. There is an inherent value to your tweet, your wall post, becoming mayor at some DC cafe or posting your location to wherever people post those things, but the real value is simply in your existence as a number in a sea of other 1 and 0’s.

      We are entering a world where every aspect of our lives, short of those thoughts we hold deep, will be processed, indexed, analyzed and archived forever. What we search for, our online activity, where and how we drive, what we buy; when and how often, our health, financial, and personal records digitized for quick sale to the highest bidder. Never before have we had the ability to implement systems to handle massive volumes of disparate data, at a velocity that can only be described as break-neck and with this ability comes the inevitable misuse.

      The commercial implications for companies seeking access to this depth and breadth of customer intelligence is clear, but this same information federated with the analysis of unstructured video, picture, voice and text data in the hands of our government or one that meant us harm is truly frightening.

      Social media is an interesting experiment in applying a large scale operant conditioning chamber to a mass population, the law of effect is a retweet, a friending, being listed on a top x most influential list, or whatever else elicits the desired response. We leap head first off the cliff of technology and only concern ourselves with the implications when they become a problem for us.

      The irony is that in our search for identity and individuality in an increasingly digital world we have willingly surrendered that which we used to hold so dear – our privacy.

      May future generations forgive us.

      Class-action Lawsuit Against HP for Not Disclosing Security Vulnerabilities Has Huge Implications

      On December 1, 2011 a Class-action lawsuit was filed in United States District Court Northern District of California against Hewlett-Packard, alleging violations of The California Consumer Legal Remedies Act for Injunctive Relief and the California Unfair Competition Law based on non-disclosure of a known security vulnerability (read the filing here)

      Nature of the Action

      l. Plaintiff brings this action individually and as a class action against Hewlett-Packard Company (“Hewlett-Packard” or “HP” or “Defendant”) on behalf of all others who purchased a Hewlett-Packard printer (the “HP Printers”).

      2. The HP Printer’s suffer from a design defect in the software (which is also sometimes referred to as “firmware” ) that is resident on the HP Printers, which allow computer hackers to gain access to the network on which the HP Printers are connected, steal sensitive information, and even flood the HP Printers, themselves, with commands that are able to control the HP Printers and even cause physical damage to the BP Printers themselves.

      3. Despite Defendant’s knowledge of the design defect in the software of the HP Printers. Defendant has failed to disclose the existence of the defect to consumers

      4. As a result of the facts alleged herein, Defendant has violated California laws governing consumer protection.

      Continue reading

      One Warm Coat…Two Changed Lives

      <Warning: This post has nothing to do with technology, information security, or anything else I normally blog about>

      This post is dedicated to the memory of Stephanie Renee Fong

      When I was in my early 20s I met a young women named Stephanie, we quickly grew very close. Stephanie was special to me in many ways, but most of all she always seemed to provide me so much warmth and comfort.

      One winter she had bought me this really cool warm coat, she ended up wearing the coat most of the time to the point that the coat smelled like her…which always brought a smile to my face.

      Stephanie was allergic to legumes and also suffered from Asthma, which required her to use a special prescription inhaler. I never realized the extent that allergies can impact us until one day in August 1994.  Continue reading

      Incomplete Thought: Are You Really Data-Driven or Just Using Data To Prove a Point?

      I love data, I love the benefits that data analysis offers, and I love the concept of large amounts of data being massaged, queried, and providing insights through a whole new set of technical innovations – and there are many in data right now. In fact I believe that this year has probably been the largest year for VC investments in database technologies in a really, really long time (Recent VC investment in NoSQL companies; Neotech $10.6m, Datastax $11m, 10Gen $20m, Couchbase $14m + all the $ in big data, BI and analytics)

      Continue reading

      #####EOF##### WordPress.com Forums

      Need help? Check out our Support site, then

      #####EOF##### WordPress Hosting Recommendations | WordPress.org

      WordPress Web Hosting

      There are hundreds of thousands of web hosts out there, the vast majority of which meet the WordPress minimum requirements, and choosing one from the crowd can be a chore. Just like flowers need the right environment to grow, WordPress works best when it’s in a rich hosting environment.

      We’ve dealt with more hosts than you can imagine; in our opinion, the hosts below represent some of the best and brightest of the hosting world. If you do decide to go with one of the hosts below and click through from this page, some will donate a portion of your fee back—so you can have a great host and support WordPress.org at the same time. If you don’t need the flexibility of a full web host, you may consider getting a free blog on WordPress.com.

      Bluehost Bluehost

      Powering over 2 million websites, Bluehost offers the ultimate WordPress platform. Tuned for WordPress, we offer WordPress-centric dashboards and tools along with 1-click installation, a FREE domain name, email, FTP, and more. Easily scalable and backed by legendary 24/7 support by in-house WordPress experts.

      DreamHost DreamHost

      DreamHost has been committed to WordPress and its community for over 10 years. Our hosting platforms are optimized for WordPress and our team actively contributes to the WordPress community. At DreamHost, you take total control of your server or let our team of experts handle everything for you. DreamHost offers choice, performance and value for new users and experts alike.

      SiteGround SiteGround

      SiteGround has tools that make managing WordPress sites easy: one-click install, managed updates, WP-Cli, WordPress staging and git integration. We have a very fast support team with advanced WordPress expertise available 24/7. We provide latest speed technologies that make WordPress load faster: NGINX-based caching, SSD-drives, PHP 7, CDN, HTTP/2. We proactively protect the WordPress sites from hacks.

      Host Feedback

      We’re committed to helping create a wholesome and hassle-free WordPress hosting environment. If you feel there are issues with one of the hosts listed here, please send a note to hosting dash feedback at this domain. If the situation warrants we’ll work with you and your host on a solution.

      Note before contacting us: Please don’t send us legal takedown orders or threats, we don’t actually host every WordPress blog in the world. If you don’t understand that, you probably shouldn’t be sending legal notices anyway.

      Be Listed on This Page

      We’ll be looking at this list several times a year, so keep an eye out for us re-opening the survey for hosts to submit themselves for inclusion. Listing is completely arbitrary, but includes criteria like: contributions to WordPress.org, size of customer base, ease of WP auto-install and auto-upgrades, avoiding GPL violations, design, tone, historical perception, using the correct logo, capitalizing WordPress correctly, not blaming us if you have a security issue, and up-to-date system software.

      #####EOF##### WordPress Hosting Recommendations | WordPress.org

      WordPress Web Hosting

      There are hundreds of thousands of web hosts out there, the vast majority of which meet the WordPress minimum requirements, and choosing one from the crowd can be a chore. Just like flowers need the right environment to grow, WordPress works best when it’s in a rich hosting environment.

      We’ve dealt with more hosts than you can imagine; in our opinion, the hosts below represent some of the best and brightest of the hosting world. If you do decide to go with one of the hosts below and click through from this page, some will donate a portion of your fee back—so you can have a great host and support WordPress.org at the same time. If you don’t need the flexibility of a full web host, you may consider getting a free blog on WordPress.com.

      Bluehost Bluehost

      Powering over 2 million websites, Bluehost offers the ultimate WordPress platform. Tuned for WordPress, we offer WordPress-centric dashboards and tools along with 1-click installation, a FREE domain name, email, FTP, and more. Easily scalable and backed by legendary 24/7 support by in-house WordPress experts.

      DreamHost DreamHost

      DreamHost has been committed to WordPress and its community for over 10 years. Our hosting platforms are optimized for WordPress and our team actively contributes to the WordPress community. At DreamHost, you take total control of your server or let our team of experts handle everything for you. DreamHost offers choice, performance and value for new users and experts alike.

      SiteGround SiteGround

      SiteGround has tools that make managing WordPress sites easy: one-click install, managed updates, WP-Cli, WordPress staging and git integration. We have a very fast support team with advanced WordPress expertise available 24/7. We provide latest speed technologies that make WordPress load faster: NGINX-based caching, SSD-drives, PHP 7, CDN, HTTP/2. We proactively protect the WordPress sites from hacks.

      Host Feedback

      We’re committed to helping create a wholesome and hassle-free WordPress hosting environment. If you feel there are issues with one of the hosts listed here, please send a note to hosting dash feedback at this domain. If the situation warrants we’ll work with you and your host on a solution.

      Note before contacting us: Please don’t send us legal takedown orders or threats, we don’t actually host every WordPress blog in the world. If you don’t understand that, you probably shouldn’t be sending legal notices anyway.

      Be Listed on This Page

      We’ll be looking at this list several times a year, so keep an eye out for us re-opening the survey for hosts to submit themselves for inclusion. Listing is completely arbitrary, but includes criteria like: contributions to WordPress.org, size of customer base, ease of WP auto-install and auto-upgrades, avoiding GPL violations, design, tone, historical perception, using the correct logo, capitalizing WordPress correctly, not blaming us if you have a security issue, and up-to-date system software.

      #####EOF##### A Few Thoughts on Cryptographic Engineering – Some random thoughts about crypto. Notes from a course I teach. Pictures of my dachshunds.

      A Few Thoughts on Cryptographic Engineering

      Some random thoughts about crypto. Notes from a course I teach. Pictures of my dachshunds.

      Attack of the week: searchable encryption and the ever-expanding leakage function

      A few days ago I had the pleasure of hosting Kenny Paterson, who braved snow and historic cold (by Baltimore standards) to come talk to us about encrypted databases.

      Kenny’s newest result is with first authors Paul Grubbs, Marie-Sarah Lacharité and Brice Minaud (let’s call it GLMP). It isn’t so much about building encrypted databases, as it is about the risks of building them badly. And — for reasons I will get into shortly — there have been a lot of badly-constructed encrypted database schemes going around. What GLMP point out is that this weakness isn’t so much a knock against the authors of those schemes, but rather, an indication that they may just be trying to do the impossible.

      Hopefully this is a good enough start to get you drawn in. Which is excellent, because I’m going to need to give you a lot of background.

      What’s an “encrypted” database, and why are they a problem?

      Databases (both relational and otherwise) are a pretty important part of the computing experience. Modern systems make vast use of databases and their accompanying query technology in order to power just about every software application we depend on.

      Because these databases often contain sensitive information, there has been a strong push to secure that data. A key goal is to encrypt the contents of the database, so that a malicious database operator (or a hacker) can’t get access to it if they compromise a single machine. If we lived in a world where security was all that mattered, the encryption part would be pretty easy: database records are, after all, just blobs of data — and we know how to encrypt those. So we could generate a cryptographic key on our local machine, encrypt the data before we upload it to a vulnerable database server, and just keep that key locally on our client computer.

      Voila: we’re safe against a database hack!

      The problem with this approach is that encrypting the database records leaves us with a database full of opaque, unreadable encrypted junk. Since we have the decryption key on our client, we can decrypt and read those records after we’ve downloaded them. But this approach completely disables one of the most useful features of modern databases: the ability for the database server itself to search (or query) the database for specific records, so that the client doesn’t have to.

      Unfortunately, standard encryption borks search capability pretty badly. If I want to search a database for, say, employees whose salary is between $50,000 and $100,000, my database is helpless: all it sees is row after row of encrypted gibberish. In the worst case, the client will have to download all of the data rows and search them itself — yuck.

      This has led to much wailing and gnashing of teeth in the database community. As a result, many cryptographers (and a distressing number of non-cryptographers) have tried to fix the problem with “fancier” crypto. This has not gone very well.

      It would take me a hundred years to detail all of various solutions that have been put forward. But let me just hit a few of the high points:

      • Some proposals have suggested using deterministic encryption to encrypt database records. Deterministic encryption ensures that a given plaintext will always encrypt to a single ciphertext value, at least for a given key. This enables exact-match queries: a client can simply encrypt the exact value (“John Smith”) that it’s searching for, and ask the database to identify encrypted rows that match it.
      • Of course, exact-match queries don’t support more powerful features. Most databases also need to support range queries. One approach to this is something called order revealing encryption (or its weaker sibling, order preserving encryption). These do exactly what they say they do: they allow the database to compare two encrypted records to determine which plaintext is greater than the other.
      • Some people have proposed to use trusted hardware to solve these problems in a “simpler” way, but as we like to say in cryptography: if we actually had trusted hardware, nobody would pay our salaries. And, speaking more seriously, even hardware might not stop the leakage-based attacks discussed below.

      This summary barely scratches the surface of this problem, and frankly you don’t need to know all the details for the purpose of this blog post.

      What you do need to know is that each of the above proposals entails has some degree of “leakage”. Namely, if I’m an attacker who is able to compromise the database, both to see its contents and to see how it responds when you (a legitimate user) makes a query, then I can learn something about the data being queried.

      What some examples of leakage, and what’s a leakage function?

      Leakage is a (nearly) unavoidable byproduct of an encrypted database that supports queries. It can happen when the attacker simply looks at the encrypted data, as she might if she was able to dump the contents of your database and post them on the dark web. But a more powerful type of leakage occurs when the attacker is able to compromise your database server and observe the query interaction between legitimate client(s) and your database.

      Take deterministic encryption, for instance.

      Deterministic encryption has the very useful, but also unpleasant feature that the same plaintext will always encrypt to the same ciphertext. This leads to very obvious types of leakage, in the sense that an attacker can see repeated records in the dataset itself. Extending this to the active setting, if a legitimate client queries on a specific encrypted value, the attacker can see exactly which records match the attacker’s encrypted value. She can see how often each value occurs, which gives and indication of what value it might be (e.g., the last name “Smith” is more common than “Azriel”.) All of these vectors leak valuable information to an attacker.

      Other systems leak more. Order-preserving encryption leaks the exact order of a list of underlying records, because it causes the resulting ciphertexts to have the same order. This is great for searching and sorting, but unfortunately it leaks tons of useful information to an attacker. Indeed, researchers have shown that, in real datasets, an ordering can be combined with knowledge about the record distribution in order to (approximately) reconstruct the contents of an encrypted database.

      Fancier order-revealing encryption schemes aren’t quite so careless with your confidentiality: they enable the legitimate client to perform range queries, but without leaking the full ordering so trivially. This approach can leak less information: but a persistent attacker will still learn some data from observing a query and its response — at a minimum, she will learn which rows constitute the response to a query, since the database must pack up the matching records and send them over to the client.

      If you’re having trouble visualizing what this last type of leakage might look like, here’s a picture that shows what an attacker might see when a user queries an unencrypted database vs. what the attacker might see with a really “good” encrypted database that supports range queries:

      leakage

      So the TL;DR here is that many encrypted database schemes have some sort of “leakage”, and this leakage can potentially reveal information about (a) what a client is querying on, and (b) what data is in the actual database.

      But surely cryptographers don’t build leaky schemes?

      Sometimes the perfect is the enemy of the good.

      Cryptographers could spend a million years stressing themselves to death over the practical impact of different types of leakage. They could also try to do things perfectly using expensive techniques like fully-homomorphic encryption and oblivious RAM — but the results would be highly inefficient. So a common view in the field is researchers should do the very best we can, and then carefully explain to users what the risks are.

      For example, a real database system might provide the following guarantee:

      “Records are opaque. If the user queries for all records BETWEEN some hidden values X AND Y then all the database will learn is the row numbers of the records that match this range, and nothing else.”

      This is a pretty awesome guarantee, particularly if you can formalize it and prove that a scheme achieves it. And indeed, this is something that researchers have tried to do. The formalized description is typically achieved by defining something called a leakage function. It might not be possible to prove that a scheme is absolutely private, but we can prove that it only leaks as much as the leakage function allows.

      Now, I may be overdoing this slightly, but I want to be very clear about this next part:

      Proving your encrypted database protocol is secure with respect to a specific leakage function does not mean it is safe to use in practice. What it means is that you are punting that question to the application developer, who is presumed to know how this leakage will affect their dataset and their security needs. Your leakage function and proof simply tell the app developer what information your scheme is (provably) going to protect, and what it won’t.

      The obvious problem with this approach is that application developers probably don’t have any idea what’s safe to use either. Helping them to figure this out is one goal of this new GLMP paper and its related work.

      So what leaks from these schemes?

      GLMP don’t look at a specific encryption scheme. Rather, they ask a more general question: let’s imagine that we can only see that a legitimate user has made a range query — but not what the actual queried range values are. Further, let’s assume we can also see which records the database returns for that query, but not their actual values.

      How much does just this information tell us about the contents of the database?

      You can see that this is a very limited amount of leakage. Indeed, it is possibly the least amount of leakage you could imagine for any system that supports range queries, and is also efficient. So in one sense, you could say authors are asking a different and much more important question: are any of these encrypted databases actually secure?

      The answer is somewhat worrying.

      Can you give me a simple, illuminating example?

      Let’s say I’m an attacker who has compromised a database, and observes the following two range queries/results from a legitimate client:

      Query 1: SELECT * FROM Salaries BETWEEN ⚙️ and 🕹    Result 1: (rows 1, 3, 5)
      Query 2: SELECT * FROM Salaries BETWEEN 😨 and 🎱    Result 2: (rows 1, 43, 3, 5)

      Here I’m using the emoji to illustrate that an attacker can’t see the actual values submitted within the range queries — those are protected by the scheme — nor can she see the actual values of the result rows, since the fancy encryption scheme hides all this stuff. All the attacker sees is that a range query came in, and some specific rows were scooped up off disk after running the fancy search protocol.

      So what can the attacker learn from the above queries? Surprisingly: quite a bit.

      At very minimum, the attacker learns that Query 2 returned all of the same records as Query 1. Thus the range of the latter query clearly somewhat overlaps with the range of the former.  There is an additional record (row 43) that is not within the range of Query 1. That tells us that row 43 must must be either the “next” greater or smaller record than each of rows (1, 3, 5). That’s useful information.

      Get enough useful information, it turns out that it starts to add up. In 2016, Kellaris, Kollios, Nissim and O’Neill showed that if you know the distribution of the query range endpoints — for example, if you assumed that they were uniformly random — then you can get more than just the order of records. You can reconstruct the exact value of every record in the database.

      This result is statistical in nature. If I know that the queries are uniformly random, then I can model how often a given value (say, Age=34 out of a range 1-120) should be responsive to a given random query results. By counting the actual occurrences of a specific row after many such queries, I can guess which rows correlate to specific record values. The more queries I see, the more certain I can be.The Kellaris et al. paper shows that this takes O(N^4~log~N) queries, where N is the number of possible values your data can take on (e.g., the ages of your employees, ranging between 1 and 100 would give N=100.) This is assuming an arbitrary dataset. The results get much better if the database is “dense”, meaning every possible value occurs once.

      In practice the Kellaris et al. results mean that database fields with small domains (like ages) could be quickly reconstructed after observing a reasonable number of queries from a legitimate user, albeit one who likes to query everything randomly.

      So that’s really bad!

      The main bright spot in this research —- at least up until recently — was that many types of data have much larger domains. If you’re dealing with salary data ranging from, say, $1 to $200,000, then N=200,000 and this dominant N^4 tends to make Kellaris et al. attacks impractical, simply because they’ll take too long. Similarly, data like employee last names (encoded as a form that can be sorted and range-queries) gives you even vaster domains like N=26^{12}, say, and so perhaps we could pleasantly ignore these results and spend our time on more amusing engagements.

      I bet we can’t ignore these results, can we?

      Indeed, it seems that we can’t. The reason we can’t sit on our laurels and hope for an attacker to die of old age recovering large-domain data sets is due to something called approximate database reconstruction, or \epsilon-ADR.

      The setting here is the same: an attacker sits and watches an attacker make (uniformly random) range queries. The critical difference is that this attacker isn’t trying to get every database record back at its exact value: she’s willing to tolerate some degree of error, up to an additive \epsilon N. For example, if I’m trying to recover employee salaries, I don’t need them to be exact: getting them within 1% or 5% is probably good enough for my purposes. Similarly, reconstructing nearly all of the letters in your last name probably lets me guess the rest, especially if I know the distribution of common last names.

      Which finally brings us to this new GLMP paper, which puts \epsilon-ADR on steroids. What it shows is that the same setting, if one is willing to “sacrifice” a few of the highest and lowest values in the database, an attacker can reconstruct nearly the full database in a much smaller (asymptotic) number of queries, specifically: O(\epsilon^{-2} log~\epsilon^{-1}) queries, where \epsilon is the error parameter.

      The important thing to notice about these results is that the value N has dropped out of the equation. The only term that’s left is the error term \epsilon. That means these results are “scale-free”, and (asymptotically, at least), they work just as well for small values of N as large ones, and large databases and small ones. This is really remarkable.

      Big-O notation doesn’t do anything for me: what does this even mean?

      Big-O notation is beloved by computer scientists, but potentially meaningless in practice. There could be huge constants in these terms that render these attacks completely impractical. Besides, weird equations involving epsilon characters are impossible for humans to understand.

      Sometimes the easiest way to understand a theoretical result is to plug some actual numbers in and see what happens. GLMP were kind enough to do this for us, by first generating several random databases — each containing 1,000 records, for different values of N. They then ran their recovery algorithm against a simulated batch of random range queries to see what the actual error rate looked like as the query count increased.

      Here are their results:

      GLMPgraph
      Experimental results (Figure 2) from Grubbs et al. (GLMP, 2019). The Y-axis represents the measured error between the reconstructed database and the actual dataset (smaller is better.) The X-axis represents the number of queries. Each database contains 1,000 records, but there are four different values of N tested here. Notice that the biggest error occurs around the very largest and smallest values in the dataset, so the results are much better if one is willing to “sacrifice” these values.

      Even after just 100 queries, the error in the dataset has been hugely reduced, and after 500 queries the contents of the database — excluding the tails — can be recovered with only about a 1-2% error rate.

      Moreover, these experimental results illustrate the fact that recovery works at many scales: that is, they work nearly as well for very different values of N, ranging from 100 to 100,000. This means that the only variable you really need to think about as an attacker is: how close do I need my reconstruction to be? This is probably not very good news for any real data set.

      How do these techniques actually work?

      The answer is both very straightforward and deeply complex. The straightforward part is simple; the complex part requires an understanding of Vapnik-Chervonenkis learning theory (VC-theory) which is beyond the scope of this blog post, but is explained in the paper.

      At the very highest level the recovery approach is similar to what’s been done in the past: using response probabilities to obtain record values. This paper does it much more efficiently and approximately, using some fancy learning theory results while making a few assumptions.

      At the highest level: we are going to assume that the range queries are made on random endpoints ranging from 1 to N. This is a big assumption, and more on it later! Yet with just this knowledge in hand, we learn quite a bit. For example: we can compute the probability that a potential record value (say, the specific salary $34,234) is going to be sent back, provided we know the total value lies in the range 1-N (say, we know all salaries are between $1 and $200,000).

      If we draw the resulting probability curve in freehand, it might look something like the chart below. This isn’t actually to scale or (probably) even accurate, but it illustrates a key point: by the nature of (random) range queries, records near the center are going to have a higher overall chance of being responsive to any given query, since the “center” values are more frequently covered by random ranges, and records near the extreme high- and low values will be chosen less frequently.

      badgraph
      I drew this graph freehand to mimic a picture in Kenny’s slides. Not a real plot!

      The high-level goal of database reconstruction is to match the observed response rate for a given row (say, row 41) to the number of responses we’d expect see for different specific concrete values in the range. Clearly the accuracy of this approach is going to depend on the number of queries you, the attacker, can observe — more is better. And since the response rates are lower at the highest and lowest values, it will take more queries to guess outlying data values.

      You might also notice that there is one major pitfall here. Since the graph above is symmetric around its midpoint, the expected response rate will be the same for a record at .25*N and a record at .75*N — that is, a $50,000 salary will be responsive to random queries at precisely same rate as a $150,000 salary. So even if you get every database row pegged precisely to its response rate, your results might still be “flipped” horizontally around the midpoint. Usually this isn’t the end of the world, because databases aren’t normally full of unstructured random data — high salaries will be less common than low salaries in most organizations, for example, so you can probably figure out the ordering based on that assumption. But this last “bit” of information is technically not guaranteed to come back, minus some assumptions about the data set.

      Thus, the recovery algorithm breaks down into two steps: first, observe the response rate for each record as random range queries arrive. For each record that responds to such a query, try to solve for a concrete value that minimizes the difference between the expected response rate on that value, and the observed rate. The probability estimation can be made more efficient (eliminating a quadratic term) by assuming that there is at least one record in the database within the range .2N-.3N (or .7N-.8N, due to symmetry). Using this “anchor” record requires a mild assumption about the database contents.

      What remains is to show that the resulting attack is efficient. You can do this by simply implementing it — as illustrated by the charts above. Or you can prove that it’s efficient. The GLMP paper uses some very heavy statistical machinery to do the latter. Specifically, they make use of a result from Vapnik-Chervonenkis learning theory (VC-theory), which shows that the bound can be derived from something called the VC-dimension (which is a small number, in this case) and is unrelated to the actual value of N. That proof forms the bulk of the result, but the empirical results are also pretty good.

      Is there anything else in the paper?

      Yes. It gets worse. There’s so much in this paper that I cannot possibly include it all here without risking carpal tunnel and boredom, and all of it is bad news for the field of encrypted databases.

      The biggest additional result is one that shows that if all you want is an approximate ordering of the database rows, then you can do this efficiently using something called a PQ tree. Asymptotically, this requires O(\epsilon^{-1} log~\epsilon^{-1}) queries, and experimentally the results are again even better than one would expect.

      What’s even more important about this ordering result is that it works independently of the query distribution. That is: we do not need to have random range queries in order for this to work: it works reasonably well regardless of how the client puts its queries together (up to a point).

      Even better, the authors show that this ordering, along with some knowledge of the underlying database distribution — for example, let’s say we know that it consists of U.S. citizen last names — can also be used to obtain approximate database reconstruction. Oy vey!

      And there’s still even more:

      • The authors show how to obtain even more efficient database recovery in a setting where the query range values are known to the attacker, using PAC learning. This is a more generous setting than previous work, but it could be realistic in some cases.
      • Finally, they extend this result to prefix and suffix queries, as well as range queries, and show that they can run their attacks on a dataset from the Fraternal Order of Police, obtaining record recovery in a few hundred queries.

      In short: this is all really bad for the field of encrypted databases.

      So what do we do about this?

      I don’t know. Ignore these results? Fake our own deaths and move into a submarine?

      In all seriousness: database encryption has been a controversial subject in our field. I wish I could say that there’s been an actual debate, but it’s more that different researchers have fallen into different camps, and nobody has really had the data to make their position in a compelling way. There have actually been some very personal arguments made about it.

      The schools of thought are as follows:

      The first holds that any kind of database encryption is better than storing records in plaintext and we should stop demanding things be perfect, when the alternative is a world of constant data breaches and sadness.

      To me this is a supportable position, given that the current attack model for plaintext databases is something like “copy the database files, or just run a local SELECT * query”, and the threat model for an encrypted database is “gain persistence on the server and run sophisticated statistical attacks.” Most attackers are pretty lazy, so even a weak system is probably better than nothing.

      The countervailing school of thought has two points: sometimes the good is much worse than the perfect, particularly if it gives application developers an outsized degree of confidence of the security that their encryption system is going to provide them.

      If even the best encryption protocol is only throwing a tiny roadblock in the attacker’s way, why risk this at all? Just let the database community come up with some kind of ROT13 encryption that everyone knows to be crap and stop throwing good research time into a problem that has no good solution.

      I don’t really know who is right in this debate. I’m just glad to see we’re getting closer to having it.

       

      On Ghost Users and Messaging Backdoors

      On Ghost Users and Messaging Backdoors

      The past few years have been an amazing time for the deployment of encryption. In ten years, encrypted web connections have gone from a novelty into a requirement for running a modern website. Smartphone manufacturers deployed default storage encryption to billions of phones. End-to-end encrypted messaging and phone calls are now deployed to billions of users.

      While this progress is exciting to cryptographers and privacy advocates, not everyone sees it this way. A few countries, like the U.K. and Australia, have passed laws in an attempt to gain access to this data, and at least one U.S. proposal has made it to Congress. The Department of Justice recently added its own branding to the mix, asking tech companies to deploy “responsible encryption“.

      What, exactly, is “responsible encryption”? Well, that’s a bit of a problem. Nobody on the government’s side of the debate has really been willing to get very specific about that. In fact, a recent speech by U.S. Deputy Attorney General Rod Rosenstein implored cryptographers to go figure it out.

      With this as background, a recent article by GCHQ’s Ian Levy and Crispin Robinson reads like a breath of fresh air. Unlike their American colleagues, the British folks at GCHQ — essentially, the U.K.’s equivalent of NSA — seem eager to engage with the technical community and to put forward serious ideas. Indeed, Levy and Robinson make a concrete proposal in the article above: they offer a new solution designed to surveil both encrypted messaging and phone calls.

      In this post I’m going to talk about that proposal as fairly as I can — given that I only have a high-level understanding of the idea. Then I’ll discuss what I think could go wrong.

      A brief, illustrated primer on E2E

      The GCHQ proposal deals with law-enforcement interception on messaging systems and phone calls. To give some intuition about the proposal, I first need to give a very brief (and ultra-simplified) explanation of how those systems actually work.

      The basic idea in any E2E communication systems is that each participant encrypts messages (or audio/video data) directly from one device to the other. This layer of encryption reduces the need to trust your provider’s infrastructure — ranging from telephone lines to servers to undersea cables — which gives added assurance against malicious service providers and hackers.

      If you’ll forgive a few silly illustrations, the intuitive result is a picture that looks something like this:

      E2E

      If we consider the group chat/call setting, the picture changes slightly, but only slightly. Each participant still encrypts data to the other participants directly, bypassing the provider. The actual details (specific algorithms, key choices) vary between different systems. But the concept remains the same.

      GroupE2E

      The problem with the simplified pictures above is that there’s actually a lot more going on in an E2E system than just encryption.

      In practice, one of the most challenging problems in encrypted messaging stems is getting the key you need to actually perform the encryption. This problem, which is generally known as key distribution, is an age-old concern in the field of computer security. There are many ways for it to go wrong.

      In the olden days, we used to ask users to manage and exchange their own keys, and then select which users they wanted to encrypt to. This was terrible and everyone hated it. Modern E2E systems have become popular largely because they hide all of this detail from their users. This comes at the cost of some extra provider-operated infrastructure.

      In practice, systems like Apple iMessage, WhatsApp and Facebook Messenger actually look more like this:

      Identity
      Encrypted calling with an “identity system” looking up keys. The Apple represents Apple’s back-end servers.

      The Apple at the top of the picture above stands in for Apple’s “identity service”, which is a cluster of servers running in Apple’s various data centers. These servers perform many tasks, but most notably: they act as a directory for looking up the encryption key of the person you’re talking to. If that service misfires and gives you the wrong key, the best ciphers in the world won’t help you. You’ll just be encrypting to the wrong person.

      These identity services do more than look up keys. In at least some group messaging systems like WhatsApp and iMessage, they also control the membership of group conversations. In poorly-designed systems, the server can add and remove users from a group conversation at will, even if none of the participants have requested this. It’s as though you’re having a conversation in a very private room — but the door is unlocked and the building manager controls who can come enter and join you.

      (A technical note: while these two aspects of the identity system serve different purposes, in practice they’re often closely related. For example, in many systems there is little distinction between “group” and “two-participant” messaging. For example, in systems that support multiple devices connected to a single account, like Apple’s iMessage, every single device attached to your user account is treated as a separate party to the conversation. Provided either party has more than one device on their account [say, an iPhone and an iPad] , you can think of every iMessage conversation as being a group conversation.)

      Most E2E systems have basic countermeasures against bad behavior by the identity service. For example, client applications will typically alert you when a new user joins your group chat, or when someone adds a new device to your iMessage account. Similarly, both WhatsApp and Signal expose “safety numbers” that allow participants to verify that they received the right cryptographic keys, which offers a check against dishonest providers.

      But these countermeasures are not perfect, and not every service offers them. Which brings me to the GCHQ proposal.

      What GCHQ wants

      The Lawfare article by Levy and Robinson does not present GCHQ’s proposal in great detail. Fortunately, both authors have spent most of the touring the U.S., giving several public talks about their ideas. I had the privilege of speaking to both of them earlier this summer when they visited Johns Hopkins, so I think I have a rough handle on what they’re thinking.

      In its outlines, the idea they propose is extremely simple. The goal is to take advantage of existing the weaknesses in the identity management systems of group chat and calling systems. This would allow law enforcement — with the participation of the service provider — to add a “ghost user” (or in some cases, a “ghost device”) to an existing group chat or calling session. In systems where group membership can be modified by the provider infrastructure, this could mostly be done via changes to the server-side components of the provider’s system.

      I say that it could mostly be done server-side, because there’s a wrinkle. Even if you modify the provider infrastructure to add unauthorized users to a conversation, most existing E2E systems do notify users when a new participant (or device) joins a conversation. Generally speaking, having a stranger wander into your conversation is a great way to notify criminals that the game’s afoot or what have you, so you’ll absolutely want to block this warning.

      While the GCHQ proposal doesn’t go into great detail, it seems to follow that any workable proposal will require providers to suppress those warning messages at the target’s device. This means the proposal will also require changes to the client application as well as the server-side infrastructure.

      (Certain apps like Signal are already somewhat hardened against these changes, because group chat setup is handled in an end-to-end encrypted/authenticated fashion by clients. This prevents the server from inserting new users without the collaboration of at least one group participant. At the moment, however, both WhatsApp and iMessage seem vulnerable to GCHQ’s proposed approach.)

      Due to this need for extensive server and client modifications, the GCHQ proposal actually represents a very significant change to the design of messaging systems. It seems likely that the client-side code changes would need to be deployed to all users, since you can’t do targeted software updates just against criminals. (Or rather, if you could rely on such targeted software updates, you would just use that capability instead of the thing that GCHQ is proposing.)

      Which brings us to the last piece: how do get providers to go along with all of this?

      While optimism and cooperation are nice in principle, it seems unlikely that communication providers are going to to voluntarily insert a powerful eavesdropping capability into their encrypted services, if only because it represents a huge and risky modification. Presumably this means that the UK government will have to compel cooperation. One potential avenue for this is to use Technical Capability Notices from the UK’s Investigatory Powers Act. Those notices mandate that a provider offer real-time decryption for sets of users ranging from 1-10,000 users, and moreover, that providers must design their systems to ensure this such a capability remains available.

      And herein lies the problem.

      Providers are already closing this loophole

      The real problem with the GCHQ proposal is that it targets a weakness in messaging/calling systems that’s already well-known to providers, and moreover, a weakness that providers have been working to close — perhaps because they’re worried that someone just like GCHQ (or probably, much worse) will try to exploit it. By making this proposal, the folks at GCHQ have virtually guaranteed that those providers will move much, much faster on this.

      And they have quite a few options at their disposal. Over the past several years researchers have proposed several designs that offer transparency to users regarding which keys they’re obtaining from a provider’s identity service. These systems operate by having the identity service commit to the keys that are associated with individual users, such that it’s very hard for the provider to change a user’s keys (or to add a device) without everyone in the world noticing.

      As mentioned above, advanced messengers like Signal have “submerged” the group chat management into the encrypted communications flow, so that the server cannot add new users without the digitally authenticated approval of one of the existing participants. This design, if ported to in more popular services like WhatsApp, would seem to kill the GCHQ proposal dead.

      Of course, these solutions highlight the tricky nature of GCHQ’s proposal. Note that in order to take advantage of existing vulnerabilities, GCHQ is going to have to require that providers change their system. And of course, once you’ve opened the door to forcing providers to change their system, why stop with small changes? What stops the UK government from, say, taking things a step farther, and using the force of law to compel providers not to harden their systems against this type of attack?

      Which brings us to the real problem with the GCHQ proposal. As far as I can see, there are two likely outcomes. In the first, providers rapidly harden their system — which is good! — and in the process kill off the vulnerabilities that make GCHQ’s proposal viable (which is bad, at least for GCHQ). The more interest that governments express towards the proposal, the more likely this first outcome is. In the second outcome, the UK government, perhaps along with other governments, solve this problem by forcing the providers to keep their systems vulnerable. This second outcome is what I worry about.

      More concretely, it’s true that today’s systems include existing flaws that are easy to exploit. But that does not mean we should entomb those flaws in concrete. And once law enforcement begins to rely on them, we will effectively have done so. Over time what seems like a “modest proposal” using current flaws will rapidly become an ossifying influence that holds ancient flaws in place. In the worst-case outcome, we’ll be appointing agencies like GCHQ as the ultimate architect of Apple and Facebook’s communication systems.

      That is not a good outcome. In fact, it’s one that will likely slow down progress for years to come.

      Let’s talk about PAKE

      The first rule of PAKE is: nobody ever wants to talk about PAKE. The second rule of passwordPAKE is that this is a shame, because PAKE — which stands for Password Authenticated Key Exchange â€” is actually one of the most useful technologies that (almost) never gets used. It should be deployed everywhere, and yet it isn’t.

      To understand why this is such a damn shame, let’s start by describing a very real problem.

      Imagine I’m operating a server that has to store user passwords. The traditional way to do this is to hash each user password and store the result in a password database. There are many schools of thought on how to handle the hashing process; the most common recommendation these days is to use a memory-hard password hashing function like scrypt or argon2 (with a unique per-password salt), and then store only the hashed result. There are various arguments about which hash function to use, and whether it could help to also use some secret value (called “pepper“), but we’ll ignore these for the moment.

      Regardless of the approach you take, all of these solutions have a single achilles heel:

      When the user comes back to log into your website, they will still need to send over their (cleartext) password, since this is required in order for the server to do the check. 

      This requirement can lead to disaster if your server is ever persistently compromised, or if your developers make a simple mistake. For example, earlier this year Twitter asked all of its (330 million!) users to change their passwords — because it turned out that company had been logging cleartext (unhashed) passwords.

      Now, the login problem doesn’t negate the advantage of password hashing in any way. But it does demand a better solution: one where the user’s password never has to go to the server in cleartext. The cryptographic tool that can give this to us is PAKE, and in particular a new protocol called OPAQUE, which I’ll get to at the end of this post.

      What’s a PAKE?

      A PAKE protocol, first introduced by Bellovin and Merritt, is a special form of cryptographic key exchange protocol. Key exchange (or “key agreement”) protocols are designed to help two parties (call them a client and server) agree on a shared key, using public-key cryptography. The earliest key exchange protocols — like classical Diffie-Hellman — were unauthenticated, which made them vulnerable to man-in-the-middle attacks. The distinguishing feature of PAKE protocols is the client will authenticate herself to the server using a password. For obvious reasons, the password, or a hash of it, is assumed to be already known to the server, which is what allows for checking.

      If this was all we required, PAKE protocols would be easy to build. What makes a PAKE truly useful is that it should also provide protection for the client’s password. A stronger version of this guarantee can be stated as follows: after a login attempt (valid, or invalid) both the client and server should learn only whether the client’s password matched the server’s expected value, and no additional information. This is a powerful guarantee. In fact, it’s not dissimilar to what we ask for from a zero knowledge proof.

      pakediagram
      Ideal representation of a PAKE protocol. The two parties’ inputs also include some randomness, which isn’t shown. An eavesdropper should not learn the strong shared secret key K, which should itself be random and not simply a function of the password.

      Of course, the obvious problem with PAKE is that many people don’t want to run a “key exchange” protocol in the first place! They just want to verify that a user knows a password.

      The great thing about PAKE is that the simpler “login only” use-case is easy to achieve. If I have a standard PAKE protocol that allows a client and server to agree on a shared key K if (and only if) the client knows the right password, then all we need add is a simple check that both parties have arrived at the same key. (This can be done, for example, by having the parties compute some cryptographic function with it and check the results.) So PAKE is useful even if all you’ve got in mind is password checking.

      SRP: The PAKE that Time Forgot

      The PAKE concept seems like it provides an obvious security benefit when compared to the naive approach we use to log into servers today. And the techniques are old, in the sense that PAKEs have been known since way back in 1992! Despite this, they’ve seen from almost no adoption. What’s going on?

      There are a few obvious reasons for this. The most obvious has to do with the limitations of the web: it’s much easier to put a password form onto a web page than it is to do fancy crypto in the browser. But this explanation isn’t sufficient. Even native applications rarely implement PAKE for their logins. Another potential explanation has to do with patents, though most of these are expired now. To me there are two likely reasons for the ongoing absence of PAKE: (1) there’s a lack of good PAKE implementations in useful languages, which makes it a hassle to use, and (2) cryptographers are bad at communicating the value of their work, so most people don’t know PAKE is even an option.

      Even though I said PAKE isn’t deployed, there are some exceptions to the rule.

      One of the remarkable ones is a 1998 protocol designed by Tom Wu [correction: not Tim Wu] and called “SRP”. Short for “Secure Remote Password“, this is a simple three-round PAKE with a few elegant features that were not found in the earliest works. Moreover, SRP has the distinction of being (as far as I know) the most widely-deployed PAKE protocol in the world. I cite two pieces of evidence for this claim:

      1. SRP has been standardized as a TLS ciphersuite, and is actually implemented in libraries like OpenSSL, even though nobody seems to use it much.
      2. Apple uses SRP extensively in their iCloud Key Vault.

      This second fact by itself could make SRP one of the most widely used cryptographic protocols in the world, so vast is the number of devices that Apple ships. So this is nothing to sneer at.

      Industry adoption of SRP is nice, but also kind of a bummer: mainly because while any PAKE adoption is cool, SRP itself isn’t the best PAKE we can deploy. I was planning to go into the weeds about why I feel so strongly about SRP, but it got longwinded and it distracted from the really nice protocol I actually want to talk about further below. If you’re still interested, I moved the discussion onto this page.

      In lieu of those details, let me give a quick and dirty TL;DR on SRP:

      1. SRP does some stuff “right”. For one thing, unlike early PAKEs it does not require you to store a raw password on the server (or, equivalently, a hash that could be used by a malicious client in place of the password). Instead, the server stores a “verifier” which is a one-way function of the password hash. This means a leak of the password database does not (immediately) allow the attacker to impersonate the user — unless they conduct further expensive dictionary attacks. (The technical name for this is “asymmetric” PAKE.)
      2. Even better, the current version of SRP (v4 v6a) isn’t obviously broken!
      3. However (and with no offense to the designers) the SRP protocol design is completely bonkers, and earlier versions have been broken several times — which is why we’re now at revision 6a. Plus the “security proof” in the original research paper doesn’t really prove anything meaningful.
      4. SRP currently relies on integer (finite field) arithmetic, and for various reasons (see point 3 above) the construction is not obviously transferable to the elliptic curve setting. This requires more bandwidth and computation, and thus SRP can’t take advantage of the many efficiency improvements we’ve developed in settings like Curve25519.
      5. SRP is vulnerable to pre-computation attacks, due to the fact that it hands over the user’s “salt” to any attacker who can start an SRP session. This means I can ask a server for your salt, and build a dictionary of potential password hashes even before the server is compromised.
      6. Despite all these drawbacks, SRP is simple — and actually ships with working code. Plus there’s working code in OpenSSL that even integrates with TLS, which makes it relatively easy to adopt.

      Out of all these points, the final one is almost certainly responsible for the (relatively) high degree of commercial success that SRP has seen when compared to other PAKE protocols. It’s not ideal, but it’s real. This is something for cryptographers to keep in mind.

      OPAQUE: The PAKE of a new generation

      When I started thinking about PAKEs a few months ago, I couldn’t help but notice that most of the existing work was kind of crummy. It either had weird problems like SRP, or it required the user to store the password (or an effective password) on the server, or it revealed the salt to an attacker — allowing pre-computation attacks.

      Then earlier this year, Jarecki, Krawczyk and Xu proposed a new protocol called OPAQUE. Opaque has a number of extremely nice advantages:

      1. It can be implemented in any setting where Diffie-Hellman and discrete log (type) problems are hard. This means that, unlike SRP, it can be easily instantiated using efficient elliptic curves.
      2. Even better: OPAQUE does not reveal the salt to the attacker. It solves this problem by using an efficient “oblivious PRF” to combine the salt with the password, in a way that ensures the client does not learn the salt and the server does not learn the password.
      3. OPAQUE works with any password hashing function. Even better, since all the hashing work is done on the client, OPAQUE can actually take load off the server, freeing an online service up to use much strong security settings — for example, configuring scrypt with large RAM parameters.
      4. In terms of number of messages and exponentiations, OPAQUE is not much different from SRP. But since it can be implemented in more efficient settings, it’s likely to be a lot more efficient.
      5. Unlike SRP, OPAQUE has a reasonable security proof (in a very strong model).

      There’s even an Internet Draft proposal for OPAQUE, which you can read here. Unfortunately, at this point I’m not aware of any production quality implementations of the code (if you know of one, please link to it in the comments and I’ll update). (Update: There are several potential implementations listed in the comments — I haven’t looked closely enough to endorse any, but this is great!) But that should soon change.

      The full OPAQUE protocol is given a little bit further below. In the rest of this section I’m going to go into the weeds on how OPAQUE works.

      Problem 1: Keeping the salt secret. As I mentioned above, the main problem with earlier PAKEs is the need to transmit the salt from a server to a (so far unauthenticated) client. This enables an attacker to run pre-computation attacks, where they can build an offline dictionary based on this salt.

      The challenge here is that the salt is typically fed into a hash function (like scrypt) along with the password. Intuitively someone has to compute that function. If it’s the server, then the server needs to see the password — which defeats the whole purpose. If it’s the client, then the client needs the salt.

      In theory one could get around this problem by computing the password hashing function using secure two-party computation (2PC). In practice, solutions like this are almost certainly not going to be efficient — most notably because password hashing functions are designed to be complex and time consuming, which will basically explode the complexity of any 2PC system.

      OPAQUE gets around this with the following clever trick. They leave the password hash on the client’s side, but they don’t feed it the stored salt. Instead, they use a special two-party protocol called an oblivious PRF to calculate a second salt (call it salt2) so that the client can use salt2 in the hash function — but does not learn the original salt.

      It works like this:

      The server stores "salt", and the client has the password.

salt2 = PRF(salt, password) // This is calculated between the 
                            // client and server, using an oblivious
                            // protocol where the client never learns
                            // salt, and the server never learns
                            // the password. The client obtains salt2

K      = PasswordHash(salt2, password) // This is done on the client

      The actual implementation of the oblivious PRF can be done using a couple of group elements and exponentiations. Even better, if the client enters the wrong password into that protocol, she obtains a completely bogus “salt2” value that reveals nothing about the real salt value.

      Problem 2: Proving that the client got the right key K. Of course, at this point, the client has derived a key K, but the server has no idea what it is. Nor does the server know whether it’s the right key.

      The solution OPAQUE uses based an old idea due to Gentry, Mackenzie and Ramzan. When the user first registers with the server, she generates a strong public and private key for a secure agreement protocol (like HMQV), and encrypts the resulting private key under K, along with the server’s public key. The resulting authenticated ciphertext (and the public key) is stored in the password database.

      C = Encrypt(K, client secret key | server’s public key)

      opaqueprotocol
      Full OPAQUE protocol, excerpted from the paper.

      When the client wishes to authenticate using the OPAQUE protocol, the server sends it the stored ciphertext C. If the client entered the right password into the first phase, she can derive K, and now decrypt this ciphertext. Otherwise it’s useless. Using the embedded secret key, she can now run a standard authenticated key agreement protocol to complete the handshake. (The server verifies the clients’ inputs against its copy of the client’s public key, and the client does similarly.)

      Putting it all together. All of these different steps can be merged together into a single protocol that has the same number of rounds as SRP. Leaving aside the key verification steps, it looks like the protocol above. Basically, just two messages: one from the client and one returned to the server.

      The final aspect of the OPAQUE work is that it includes a strong security proof that shows the resulting protocol can be proven secure under the 1-more discrete logarithm assumption in the random oracle model, which is a (well, relatively) standard assumption that appears to hold in the settings we work with.

      In conclusion

      So in summary, we have this neat technology that could make the process of using passwords much easier, and could allow us to do it in a much more efficient way — with larger hashing parameters, and more work done by the client? Why isn’t this everywhere?

      Maybe in the next few years it will be.

       

       

       

       

      Why I’m done with Chrome

      This blog is mainly reserved for cryptography, and I try to avoid filling it with random 512px-Google_Chrome_icon_(September_2014).svg“someone is wrong on the Internet” posts. After all, that’s what Twitter is for! But from time to time something bothers me enough that I have to make an exception. Today I wanted to write specifically about Google Chrome, how much I’ve loved it in the past, and why — due to Chrome’s new user-unfriendly forced login policy — I won’t be using it going forward.

      A brief history of Chrome

      When Google launched Chrome ten years ago, it seemed like one of those rare cases where everyone wins. In 2008, the browser market was dominated by Microsoft, a company with an ugly history of using browser dominance to crush their competitors. Worse, Microsoft was making noises about getting into the search business. This posed an existential threat to Google’s internet properties.

      In this setting, Chrome was a beautiful solution. Even if the browser never produced a scrap of revenue for Google, it served its purpose just by keeping the Internet open to Google’s other products. As a benefit, the Internet community would receive a terrific open source browser with the best development team money could buy. This might be kind of sad for Mozilla (who have paid a high price due to Chrome) but overall it would be a good thing for Internet standards.

      For many years this is exactly how things played out. Sure, Google offered an optional “sign in” feature for Chrome, which presumably vacuumed up your browsing data and shipped it off to Google, but that was an option. An option you could easily ignore. If you didn’t take advantage of this option, Google’s privacy policy was clear: your data would stay on your computer where it belonged.

      What changed?

      A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you. (However, and this is important: Google developers claim this will not actually start synchronizing your data to Google — yet. See further below.)

      Your sole warning — in the event that you’re looking for it — is that your Google profile picture will appear in the upper-right hand corner of the browser window. I noticed mine the other day:

      foo

      The change hasn’t gone entirely unnoticed: it received some vigorous discussion on sites like Hacker News. But the mainstream tech press seems to have ignored it completely. This is unfortunate — and I hope it changes — because this update has huge implications for Google and the future of Chrome.

      In the rest of this post, I’m going to talk about why this matters. From my perspective, this comes down to basically four points:

      1. Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they’ve given don’t make any sense.
      2. This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this.
      3. The change makes a hash out of Google’s own privacy policies for Chrome.
      4. Google needs to stop treating customer trust like it’s a renewable resource, because they’re screwing up badly.

      I warn you that this will get a bit ranty. Please read on anyway.

      Google’s stated rationale makes no sense

      The new feature that triggers this auto-login behavior is called “Identity consistency between browser and cookie jar” (HN). After conversations with two separate Chrome developers on Twitter (who will remain nameless — mostly because I don’t want them to hate me), I was given the following rationale for the change:

      IMG_3331

      To paraphrase this explanation: if you’re in a situation where you’ve already signed into Chrome and your friend shares your computer, then you can wind up accidentally having your friend’s Google cookies get uploaded into your account. This seems bad, and sure, we want to avoid that.

      But note something critical about this scenario. In order for this problem to apply to you, you already have to be signed into Chrome. There is absolutely nothing in this problem description that seems to affect users who chose not to sign into the browser in the first place.

      So if signed-in users are your problem, why would you make a change that forces unsignedin users to become signed-in? I could waste a lot more ink wondering about the mismatch between the stated “problem” and the “fix”, but I won’t bother: because nobody on the public-facing side of the Chrome team has been able to offer an explanation that squares this circle.

      And this matters, because “sync” or not…

      The change has serious implications for privacy and trust

      The Chrome team has offered a single defense of the change. They point out that just because your browser is “signed in” does not mean it’s uploading your data to Google’s servers. Specifically:

      While Chrome will now log into your Google account without your consent (following a Gmail login), Chrome will not activate the “sync” feature that sends your data to Google. That requires an additional consent step. So in theory your data should remain local.

      This is my paraphrase. But I think it’s fair to characterize the general stance of the Chrome developers I spoke with as: without this “sync” feature, there’s nothing wrong with the change they’ve made, and everything is just fine.

      This is nuts, for several reasons.

      User consent matters. For ten years I’ve been asked a single question by the Chrome browser: “Do you want to log in with your Google account?” And for ten years I’ve said no thanks. Chrome still asks me that question — it’s just that now it doesn’t honor my decision.

      The Chrome developers want me to believe that this is fine, since (phew!) I’m still protected by one additional consent guardrail. The problem here is obvious:

      If you didn’t respect my lack of consent on the biggest user-facing privacy option in Chrome (and  didn’t even notify me that you had stopped respecting it!) why should I trust any other consent option you give me? What stops you from changing your mind on that option in a few months, when we’ve all stopped paying attention?

      The fact of the matter is that I’d never even heard of Chrome’s “sync” option — for the simple reason that up until September 2018, I had never logged into Chrome. Now I’m forced to learn these new terms, and hope that the Chrome team keeps promises to keep all of my data local as the barriers between “signed in” and “not signed in” are gradually eroded away.

      The Chrome sync UI is a dark pattern. Now that I’m forced to log into Chrome, I’m faced with a brand new menu I’ve never seen before. It looks like this:

      Thing

       

      Does that big blue button indicate that I’m already synchronizing my data to Google? That’s scary! Wait, maybe it’s an invitation to synchronize! If so, what happens to my data if I click it by accident? (I won’t give it the answer away, you should go find out. Just make sure you don’t accidentally upload all your data in the process. It can happen quickly.)

      In short, Google has transformed the question of consenting to data upload from something affirmative that I actually had to put effort into — entering my Google credentials and signing into Chrome — into something I can now do with a single accidental click. This is a dark pattern. Whether intentional or not, it has the effect of making it easy for people to activate sync without knowing it, or to think they’re already syncing and thus there’s no additional cost to increasing Google’s access to their data.

      Don’t take my word for it. It even gives (former) Google people the creeps.

      Big brother doesn’t need to actually watch you. We tell things to our web browsers that we wouldn’t tell our best friends. We do this with some vague understanding that yes, the Internet spies on us. But we also believe that this spying is weak and probabilistic. It’s not like someone’s standing over our shoulder checking our driver’s license with each click.

      What happens if you take that belief away? There are numerous studies indicating that even the perception of surveillance can significantly greatly magnify the degree of self-censorship users force on themselves. Will user feel comfortable browsing for information on sensitive mental health conditions — if their real name and picture are always loaded into the corner of their browser? The Chrome development team says “yes”. I think they’re wrong.

      For all we know, the new approach has privacy implications even if sync is off. The Chrome developers claim that with “sync” off, a Chrome has no privacy implications. This might be true. But when pressed on the actual details, nobody seems quite sure.

      For example, if I have my browser logged out, then I log in and turn on “sync”, does all my past (logged-out) data get pushed to Google? What happens if I’m forced to be logged in, and then subsequently turn on “sync”? Nobody can quite tell me if the data uploaded in these conditions is the same. These differences could really matter.

      The changes make hash of the Chrome privacy policy

      The Chrome privacy policy is a remarkably simple document. Unlike most privacy policies, it was clearly written as a promise to Chrome’s users — rather than as the usual lawyer CYA. Functionally, it describes two browsing modes: “Basic browser mode” and “signed-in mode”. These modes have very different properties. Read for yourself:

      Untitled 2Untitled 3

      In “basic browser mode”, your data is stored locally. In “signed-in” mode, your data gets shipped to Google’s servers. This is easy to understand. If you want privacy, don’t sign in. But what happens if your browser decides to switch you from one mode to the other, all on its own?

      Technically, the privacy policy is still accurate. If you’re in basic browsing mode, your data is still stored locally. The problem is that you no longer get to decide which mode you’re in. This makes a mockery out of whatever intentions the original drafters had. Maybe Google will update the document to reflect the new “sync” distinction that the Chrome developers have shared with me. We’ll see.

      Update: After I tweeted about my concerns, I received a DM on Sunday from two different Chrome developers, each telling me the good news: Google is updating their privacy policy to reflect the new operation of Chrome. I think that’s, um, good news. But I also can’t help but note that updating a privacy policy on a weekend is an awful lot of trouble to go to for a change that… apparently doesn’t even solve a problem for signed-out users.

      Trust is not a renewable resource

      For a company that sustains itself by collecting massive amounts of user data, Google has  managed to avoid the negative privacy connotations we associate with, say, Facebook. This isn’t because Google collects less data, it’s just that Google has consistently been more circumspect and responsible with it.

      Where Facebook will routinely change privacy settings and apologize later, Google has upheld clear privacy policies that it doesn’t routinely change. Sure, when it collects, it collects gobs of data, but in the cases where Google explicitly makes user security and privacy promises — it tends to keep them. This seems to be changing.

      Google’s reputation is hard-earned, and it can be easily lost. Changes like this burn a lot of trust with users. If the change is solving an absolutely critical problem for users , then maybe a loss of trust is worth it. I wish Google could convince me that was the case.

      Conclusion

      This post has gone on more than long enough, but before I finish I want to address two common counterarguments I’ve heard from people I generally respect in this area.

      One argument is that Google already spies on you via cookies and its pervasive advertising network and partnerships, so what’s the big deal if they force your browser into a logged-in state? One individual I respect described the Chrome change as “making you wear two name tags instead of one”. I think this objection is silly both on moral grounds — just because you’re violating my privacy doesn’t make it ok to add a massive new violation — but also because it’s objectively silly. Google has spent millions of dollars adding additional tracking features to both Chrome and Android. They aren’t doing this for fun; they’re doing this because it clearly produces data they want.

      The other counterargument (if you want to call it that) goes like this: I’m a n00b for using Google products at all, and of course they were always going to do this. The extreme version holds that I ought to be using lynx+Tor and DJB’s custom search engine, and if I’m not I pretty much deserve what’s coming to me.

      I reject this argument. I think It’s entirely possible for a company like Google to make good, usable open source software that doesn’t massively violate user privacy. For ten years I believe Google Chrome did just this.

      Why they’ve decided to change, I don’t know. It makes me sad.

       

       

      Friday Dachshund Blogging

      Friday Dachshund Blogging

      For over a year this blog has failed to deliver on an essential promise — that there would someday be pictures of dachshunds. Today we deliver.

      This is Callie (short for Calliope) working her way through a bit of summer crypto reading:

      FBA1BABD-C60E-4AD9-A150-5D771BCE8FA3

      But sometimes that’s exhausting and you’ve gotta take a break.

      IMG_2397

      A visit from a strange metallic dachshund:

      IMG_2124

      Summer:

      IMG_2806

      And in memoriam, Zoe and Sophie, who helped me start this blog.

       

      Wonk post: chosen ciphertext security in public-key encryption (Part 2)

      Wonk post: chosen ciphertext security in public-key encryption (Part 2)

      This continues the post from Part 1. Note that this is a work in progress, and may have some bugs in it 🙂 I’ll try to patch them up as I go along.

      In the previous post I discussed the problem of building CCA-secure public key encryption. Here’s a quick summary of what we discussed in the first part:

      • We covered the definition of CCA2 security.
      • We described how you can easily achieve this notion in the symmetric encryption setting using a CPA-secure encryption scheme, plus a secure MAC.
      • We talked about why this same approach doesn’t work for standard public-key encryption.

      In this post I’m going to discuss a few different techniques that actually do provide CCA security for public key encryption. We’ll be covering these in no particular order.

      A quick note on security proofs. There are obviously a lot of different ways you could try to hack together a CCA2 secure scheme out of different components. Some of those might be secure, or they might not be. In general, the key difference between a “secure” and “maybe secure” scheme is the fact that we can construct some kind of security proof for it.

      The phrase “some kind” will turn out to be an important caveat, because these proofs might require a modest amount of cheating.

      The bad and the ugly

      Before we get to the constructive details, it’s worth talking a bit about some ideas that don’t work to achieve CCA security. The most obvious place to start is with some of the early RSA padding schemes, particularly the PKCS#1v1.5 padding standard.

      PKCS#1 padding was developed in the 1980s, when it was obvious that public key encryption was going to become widely deployed. It was intended as a pre-processing stage for messages that were going to be encrypted using an RSA public key.

      This padding scheme had two features. First, it added randomness to the message prior to encrypting it. This was designed to defeat the simple ciphertext guessing attacks that come from deterministic encryption schemes like RSA. It can be easily shown that randomized encryption is absolutely necessary for any IND-CPA (and implicitly, IND-CCA) secure public key encryption scheme. Second, the padding added some “check” bytes that were intended to help detect mangled ciphertexts after decryption; this was designed (presumably) to shore the scheme up against invalid decryption attempts.

      PKCS#1v1.5 is still widely used in protocols, including all versions of TLS prior to TLS 1.3. The diagram below shows what the padding scheme looks like when used in TLS with a 2048-bit RSA key. The section labeled “48 bytes PMS” (pre-master secret) in this example represents the plaintext being encrypted. The 205 “non-zero padding” consists of purely random bytes that exclude the byte “0”, because that value is reserved to indicate the end of the padding section and the beginning of the plaintext.

      pkcs1PMS

      After using the RSA secret key to recover the padded message, the decryptor is supposed to parse the message and verify that the first two bytes (“00 02”) and the boundary “00” byte are all correct and in not violating any rules. The decryptor may optionally conduct other checks like verifying the length and structure of the plaintext, in case that’s known in advance.

      One of the most immediate observations about PKCS#1v1.5 is that the designers kind of intuitively understood that chosen ciphertext attacks were a thing. They clearly added some small checks to make sure that it would be hard for an attacker to modify a given ciphertext (e.g., by multiplying it by a chosen value). It’s also obvious that these checks aren’t very strong. In the standardized version of the padding scheme, there are essentially three bytes to check — and one of them (the “00” byte after the padding) can “float” at a large number of different positions, depending on how much padding and plaintext there is in the message.

      The use of a weak integrity check leads to a powerful CCA2 attack on the encryption scheme that was first discovered by Daniel Bleichenbacher. The attack is powerful due to the fact that it actually leverages the padding check as a way to learn information about the plaintext. That is: the attacker “mauls” a ciphertext and sends it to be decrypted, and relies on the fact that the decryptor will simply perform the decryption checks they’re supposed to perform — and output a noticable error if they fail. Given only this one bit of information per decryption, the attack can gradually recover the full plaintext of a specific ciphertext by (a) multiplying it with some value, (b) sending the result to be decrypted, (c) recording the success/failure result, (d) adaptively picking a new value and repeating step (a) many thousands or millions of times.

      The PKCS#1v1.5 padding scheme is mainly valuable to us today because it provides an excellent warning to cryptographic engineers, who would otherwise continue to follow the “you can just hack together something that looks safe” school of building protocols. Bleichenbacher-style attacks have largely scared the crypto community straight. Rather than continuing to use this approach, the crypto community has (mostly) moved towards techniques that at least offer some semblance of provable security.

      That’s what we’ll cover in just a moment.

      A few quick notes on achieving CCA2-secure public key encryption

      Before we get to a laundry list of specific techniques and schemes, it’s worth asking what types of design features we might be looking for in a CCA2 public key encryption scheme. Historically there have been two common requirements:

      • It would be super convenient if we could start with an existing encryption scheme, like RSA or Elgamal encryption, and generically tweak (or “compile”) that scheme into a CCA2-secure scheme. (Re-usable generic techniques are particularly useful in the event that someone comes up with new underlying encryption schemes, like post-quantum secure ones.)
      • The resulting scheme should be pretty efficient. That rules out most of the early theoretical techniques that use huge zero knowledge proofs (as cool as they are).

      Before we get to the details, I also want to repeat the intuitive description of the CCA2 security game, which I gave in the previous post. The game (or “experiment”) works like this:

      1. I generate an encryption keypair for a public-key scheme and give you the public key.
      2. You can send me (sequentially and adaptively) many ciphertexts, which I will decrypt with my secret key. I’ll give you the result of each decryption.
      3. Eventually you’ll send me a pair of messages (of equal length) M_0, M_1 and I’ll pick a bit b at random, and return to you the encryption of M_b, which I will denote as C^* \leftarrow {\sf Encrypt}(pk, M_b).
      4. You’ll repeat step (2), sending me ciphertexts to decrypt. If you send me C^* I’ll reject your attempt. But I’ll decrypt any other ciphertext you send me, even if it’s only slightly different from C^*.
      5. You (the attacker) will output your guess b'. They “win” the game if b'=b.
      6. We say a scheme is IND-CCA2 secure if the attacker wins with probability “not much greater” than 1/2 (which is the best an attacker can do if they just guess randomly.)

      A quick review of this definition shows that we need a CCA2-encryption scheme to provide at least two major features.

      First off, it should be obvious that the scheme must not leak information about the secret key, even when I’m using it to decrypt arbitrary chosen ciphertexts of your choice. There are obvious examples of schemes that fail to meet this requirement: the most famous is the (textbook) Rabin cryptosystem — where the attacker’s ability to obtain the decryption of a single chosen ciphertext can leak the entire secret key.

      More subtly, it seems obvious that CCA2 security is related to non-malleability. Here’s why: suppose I receive a challenge ciphertext C^* at step (3). It must be the case that I cannot easily “maul” that ciphertext into a new ciphertext C' that contains a closely related plaintext (and that the challenger will be able and willing to meaingfully decrypt). It’s easy to see that if I could get away with this, by the rules of the game I could probably win at step (4), simply by sending C' in to be decrypted, getting the result, and seeing whether it’s more closely related to M_0 or M_1. (This is, in fact, a very weak explanation of what the Bleichenbacher attack does.)

      It turns out that an even stronger property that helps achieve both of these conditions is something called plaintext awareness. There are various subtly-different mathematical formulations of this idea, but here I’ll try to give only the English-language intuition:

      If the attacker is able to submit a (valid) ciphertext to be decrypted, it must be the case that she already knows the plaintext of that message.

      This guarantee is very powerful, because it helps us to be sure that the decryption process doesn’t give the attacker any new information that she doesn’t already have. She can submit any messages she wants (including mauling the challenge ciphertext C^*) but if this plaintext-awareness property holds in the strongest sense, those decryptions won’t tell her anything she doesn’t already know.

      Of course, just because your scheme appears to satisfy the above conditions does not mean it’s secure. Both rules above are heuristics: that is, they’re necessary conditions to prevent attacks, but they may or may not be sufficient. To really trust a scheme (in the cryptographic sense) we should be able to offer a proof (under some assumptions) that these guarantees hold. We’ll address that a bit as we go forward.

      Technique 1: Optimal Asymmetric Encryption Padding

      One of the earlier practical CCA2 transforms was developed by Bellare and Rogaway as a direct replacement for the PKCS#1v1.5 padding scheme in RSA encryption. The scheme they developed — called Optimal Asymmetric Encryption Padding — represents a “drop-in” replacement for the earlier, broken v1.5 padding scheme. It also features a security proof. (Mostly. We’ll come back to this last point.)

      (Confusingly, OAEP was adopted into the PKCS#1 standards as of version 2.0, so sometimes you’ll see it referred to as PKCS#1v2.0-OAEP.)

      OAEP’s most obvious advance over the previous state of the art is the addition of not one, but two separate hash functions G() and H() that don’t exist in the v1.5 predecessor. (These are sometimes referred to as “mask generation functions”, which is just a fancy way of saying they’re hash functions with outputs of a custom, chosen size. Such functions can be easily built from existing hash functions like SHA256.)

      Expressed graphically, this is what OAEP it looks like:

      OAEP padding function (courtesy Ozga at Wikipedia). The message is m and r is a string of random bits. The “000” represents a “check string” consisting of a string of k1 “0” bits. The lengths k0, k1 are chosen by the scheme, and the length of the overall input should be the largest bit (or byte) string that can fit inside of an RSA modulus (e.g., 1024 bits). Some 0 bits/bytes may have to be pre-pended to the result if the padded result smaller than the modulus. 

      If you’ve ever seen the DES cipher, this structure should look familiar to you. Basically OAEP is a two-round (unkeyed) Feistel network that uses a pair of hash functions to implement the round functions. There are a few key observations you can make right off the bat:

      • Just looking at the diagram above, you can see that it’s very easy to compute this padding function forward (going from a plaintext m and some random padding r to a padded message) and backwards — that is, it’s an easily-invertible permutation. The key to this feature is the Feistel network structure.
      • Upon decryption, a decryptor can invert the padding of a given message and verify that the “check string” (the string of k1 “0” bits) is correctly structured. If this string is not structured properly, the decryptor can simply output an error. This comprises the primary decryption check.
      • Assuming some (strong) properties of the hash functions, it intuitively seems that the OAEP transform is designed to create a kind of “avalanche effect” where even a small modification of a padded message will result in a very different unpadded result when the transform is inverted. In practice any such modification should “trash” the check string with overwhelming probability.

      From an intuitive point of view, these last two properties are what makes OAEP secure against chosen-ciphertext attacks. The idea here is that, due to the random properties of the hash function, it should be hard for the attacker to construct a valid ciphertext (one that has a correct check string) if she does not already know the plaintext that goes into the transform. This should hold even if the attacker already has some known valid ciphertext (like C^*) that she wishes to maul.

      More specifically related to mauling: if I send an RSA-OAEP ciphertext C^* that encrypts a specific message m, the attacker should not be able to easily maul that ciphertext into a different ciphertext C' that will still pass the decryption checks. This is due to two facts: (1) because RSA is a (trapdoor) permutation, any change to C^* will implicitly change the padded message your recover after inverting the RSA function. And (2) sending this altered padded message backwards through the OAEP transform should, with overwhelming probability, trash the check string (and the message m). The result is that the adversary can’t maul someone else’s ciphertext.

      This all assumes some very strong assumptions about the hash functions, which we’ll discuss below.

      The OAEP proof details (at the most ridiculously superficial level)

      Proving OAEP secure requires two basic techniques. Both fundamentally rely on the notion that the functions G() and H() are random oracles. This is important for two very different reasons.

      First: assuming a function is a “random oracle” means that we’re assuming it to have the same behavior as a random function. This is an awesome property for a hash function to have! (Note: real hash functions don’t have it. This means that hypothetically they could have very ‘non-random’ behavior that would make RSA-OAEP insecure. In practice this has not yet been a practical concern for real OAEP implementations, but it’s worth keeping in mind.

      It’s easy to see that if the hash functions G() and H() were random functions, it would give OAEP some very powerful properties. Remember, one of the main intuitive goals of the OAEP scheme is to prevent attackers from successfully getting you to decrypt an improperly-constructed (e.g., mauled) ciphertext. If both hash functions are truly random, then this implies that any invalid ciphertext will almost certainly fail decryption, because the padding check will fail.

      At a much deeper level, the use of random oracles in RSA’s security proof gives the security reduction a great deal of “extra power” to handle things like decrypt chosen ciphertexts. This is due to the fact that, in a random oracle proof, the proof reduction is allowed to both “see” every value hashed through those hash functions, and also to “program” the functions so that they will produce specific outputs. This would not be possible if G() and H() were implemented using real hash functions, and so the entire security proof would break down.

      These properties provide a tool in the security proof to enable decryption even when the secret key is unknown. In a traditional proof of the RSA-OAEP scheme, the idea is to show that an attacker who breaks the encryption (in the IND-CCA2 sense) can be used to construct a second attacker who solves the RSA problem. This is done by taking some random values (N, e, C) where N, e is an RSA public key of unknown factorization and “programming” the random oracles such that C^* = C. The intuitive idea is that an attacker who is able to learn something about the underlying message must query the functions G() and H() on correct inputs that, ultimately will allow the security reduction to obtain the RSA inverse of C^* even when the reduction does not know the RSA secret key, That is, such an attacker will allow us to find an integer M' such that M'^e = C.

      (There turned out to be some issues in the original OAEP proof that make it not quite work for arbitrary trapdoor permutations. Shoup fixed these by providing a new padding padding scheme called OAEP+, but the original OAEP had since gone into heavy usage within standards! It turns out that RSA-OAEP does work, however, for RSA with public exponents 3 and other exponents, though proving this required some ugly band-aids. This whole story is part of a cautionary tail about provably security, which Koblitz discusses here.)

      Technique 2: The Fujisaki-Okamoto Transform

      One limitation of OAEP (and OAEP+) padding is that it requires a trapdoor permutation in order to work. This applies nicely to RSA encryption, but does not necessarily work with every existing public-key encryption scheme. This motivates the need for other CCA transforms that work with arbitrary existing (non-CCA) encryption schemes.

      One of the nicest generic techniques for building CCA2-secure public-key encryption is due to Eiichiro Fujisaki and Tatsuaki Okamoto. The idea of this transform is to begin with a scheme that already meets the definition of IND-CPA security — that is, it is semantically secure, but not against chosen ciphertext attacks. (For this description, we’ll also require that this scheme has a large [exponentially-sized] message space and some specific properties related to randomness.) The beauty of the “Fujisaki-Okamoto transform” (henceforth: F-O) is that, like OAEP before it, given a working public-key encryption scheme, it requires only the addition of some hash functions, and can be proven secure in the random oracle model.

      Let’s imagine that we have an IND-CPA encryption public-key encryption algorithm that consists of the algorithms {\sf KeyGen}, {\sf Encrypt}, {\sf Decrypt}. We’ll also make use of two independent hash functions H_1, H_2.

      A key observation here is that in every IND-CPA (semantically secure) public key encryption scheme, the {\sf Encrypt} algorithm is randomized. This actually has to be the case, due to the definition of IND-CPA. (See here for a discussion of why that is.) Put more explicitly, what this means is that the encryption algorithm must have acccess to some set of random bits that will be used to produce the ciphertext.

      The main trick that the F-O transform uses is to de-randomize this public-key encryption algorithm. Instead of using real random bits to encrypt, it will instead use the output of the hash function H_1 to produce the random bits that will be used for encryption. This turns a randomized encryption into a deterministic one. (This, of course, requires that both the input and the internals of H_1 are capable of producing bits that “look” random.)

      Let’s get to the nuts and bolts. The F-O transform does not change the key generation algorithm of the original encryption scheme at all, except to specify the hash functions H_1, H_2. The main changes come in the new encryption and decryption algorithms. I’m going to present one variant of the transform, though there are others. This one works as follows.

      To encrypt a message M, which we’ll express as some fixed-length string of bits:

      1. Instead of encrypting the actual message M, we instead sample a random message R from the message space of the original CPA-secure scheme.
      2. We hash the random message R together with the original message M using that first hash function $H_1$. The output of this function will give us a ‘random’ bitstring. Let’s denote this as: r \leftarrow H_1(R \| M).
      3. Next, we’ll encrypt the new random message R using the original (CPA-secure) encryption scheme’s {\sf Encrypt} algorithm, but critically: we will use the bits r as the randomness for that encryption. The result of this process will give the first part of the ciphertext: C_1 \leftarrow {\sf Encrypt}(pk, R; r). Note that here r just refers to the randomness for the encryption algorithm, not an actual message being encrypted.
      4. Finally, we derive a “key” for encrypting the real message we want to send. We can compute this as K \leftarrow H_2(R).
      5. We now encrypt the original message M we want to send using some secure encryption scheme, for example the simple one-time pad: C_2 \leftarrow M \oplus K.
      6. We output the “ciphertext” C = (C_1, C_2).

      To decrypt C = (C_1, C_2), we would perform the following steps:

      1. First, use the original public-key encryption scheme’s secret key to decrypt the ciphertext C_1, which (if all is well) should give us R' \leftarrow {\sf Decrypt}(sk, C_1).
      2. Now use knowledge of R' to recover the key K' \leftarrow H_2(R') and thus the message M' which we can obtain as M' \leftarrow C_2 \oplus K'.
      3. Now check that both R', M' are valid by re-computing the randomness r' \leftarrow H_1(R' \| M') and verifying the condition C_1 == {\sf Encrypt}(pk, R'; r'). If this final check fails, simply output a decryption error.

      Phew. So what the heck is going on here?

      Let’s tackle this scheme from a practical perspective. Earlier in this post, we said that to achieve IND-CCA2 security, a scheme must have two features. First, it must be plaintext aware, which means that in order to construct a valid ciphertext (that passes all decryption checks) the attacker should already know the plaintext.

      Does F-O have this property? Well, intuitively we would hope that the answer is “yes”. Note for some valid F-O ciphertext C = (C_1, C_2) the decrypted plaintext is implicitly defined as M' \leftarrow C_2 \oplus H_2(R'). So what we really want to prove is that in order to construct a valid ciphertext the attacker must already know R' and M' prior to sending the message for decryption.

      This guarantee (with high probability) comes from the structure of C_1. In order for the ciphertext to be considered valid by the decryptor, it must be the case that C_1 satisfies the check C_1 == {\sf Encrypt}(pk, M'; r' = H_1(R' \| M')). The idea of this proof is that it should be hard for an attacker to construct such a C_1 unless she has previously called the hash function H_1 on input (R', M'). If she has called the hash function to produce this portion of the ciphertext, then she already knows those values and the decryption oracle provides her with no additional information she didn’t already have. (Alternatively, if she did not call the hash function, then her probability of making a valid C_1 should be extremely low.)

      Of course, this is only one strategy available to the attacker. She could also maul an existing ciphertext like C^* = (C_1^*, C_2^*). In this case her strategy is twofold: she can tamper with the first portion of the ciphertext and/or she can tamper with the second. But it’s easy to see that this will tend to break some portion of the decryption checks:

      1. If she tampers with any bit of C_2^*, she will change the recovered message into a new value that we can call M''. However this will in turn (with overwhelming probability) cause the decryptor to recover very different random coins $r” \leftarrow H_1(R’ \| M”)$ than were used in the original construction of C_1^*, and thus decryption check on that piece will probably fail.
      2. If she tampers with any bit of C_1^*, the decryption check $C_1^* == {\sf Encrypt}(pk, M’; r’) ought not to pass, and decryption will just produce an error.
      3. She might try to tamper with both parts of the ciphertext, of course. But this would seem even more challenging.

      The problem with the exercise above is that none of this constitutes a proof that the approach works. There is an awful lot of should and probably in this argument, and none of this ought to make you very happy. A rough sketch of the proof for an F-O scheme can be found here. (I warn you that it’s probably got some bugs in it, and I’m offering it mainly as an intuition.)

      The F-O scheme has many variants. A slightly different and much more formal treatment by Hofheinz and Kiltz can be found here, and deals with some other requirements on the underlying CPA-secure scheme.

      To be continued…

      So far in this discussion we’ve covered two basic techniques — both at a very superficial level — that achieve CCA2 security under the ridiculously strong assumption that random oracles exist. Unfortunately, they don’t. This motivates the need for better approaches that don’t require random oracles at all.

      There are a couple of those that, sadly, nobody uses. Those will have to wait until the next post.

       

       

      Was the Efail disclosure horribly screwed up?

      Was the Efail disclosure horribly screwed up?

      TL;DR. No. Or keep reading if you want.

      On Monday a team of researchers from Münster, RUB and NXP disclosed serious cryptographic vulnerabilities in a number of encrypted email clients. The flaws, which go by the cute vulnerability name of “Efail”, potentially allow an attacker to decrypt S/MIME or PGP-encrypted email with only minimal user interaction.

      By the standards of cryptographic vulnerabilities, this is about as bad as things get. In short: if an attacker can intercept and alter an encrypted email — say, by sending you a new (altered) copy, or modifying a copy stored on your mail server — they can cause many GUI-based email clients to send the full plaintext of the email to an attacker controlled-server. Even worse, most of the basic problems that cause this flaw have been known for years, and yet remain in clients.

      EfailDoc

      The big (and largely under-reported) story of EFail is the way it affects S/MIME. That “corporate” email protocol is simultaneously (1) hated by the general crypto community because it’s awful and has a slash in its name, and yet (2) is probably the most widely-used email encryption protocol in the corporate world. The table at the right — excerpted from the paper — gives you a flavor of how Efail affects S/MIME clients. TL;DR it affects them very badly.

      Efail also happens to affect a smaller, but non-trivial number of OpenPGP-compatible clients. As one might expect (if one has spent time around PGP-loving folks) the disclosure of these vulnerabilities has created something of a backlash on HN, and among people who make and love OpenPGP clients. Mostly for reasons that aren’t very defensible.

      So rather than write about fun things — like the creation of CFB and CBC gadgets — today, I’m going to write about something much less exciting: the problem of vulnerability disclosure in ecosystems like PGP. And how bad reactions to disclosure can hurt us all.

      How Efail was disclosed to the PGP community

      Putting together a comprehensive timeline of the Efail disclosure process would probably be a boring, time-intensive project. Fortunately Thomas Ptacek loves boring and time-intensive projects, and has already done this for us.

      Briefly, the first Efail disclosures to vendors began last October, more than 200 days prior to the agreed publication date. The authors notified a large number of vulnerable PGP GUI clients, and also notified the GnuPG project (on which many of these projects depend) by February at the latest. From what I can tell every major vendor agreed to make some kind of patch. GnuPG decided that it wasn’t their fault, and basically stopped corresponding.

      All parties agreed not to publicly discuss the vulnerability until an agreed date in April, which was later pushed back to May 15. The researchers also notified the EFF and some journalists under embargo, but none of them leaked anything. On May 14 someone dumped the bug onto a mailing list. So the EFF posted a notice about the vulnerability (which we’ll discuss a bit more below), and the researchers put up a website. That’s pretty much the whole story.

      There are three basic accusations going around about the Efail disclosure. They can be summarized as (1) maintaining embargoes in coordinated disclosures is really hard, (2) the EFF disclosure “unfairly” made this sound like a serious vulnerability “when it isn’t”, and (3) everything was already patched anyway so what’s the big deal.

      Disclosures are hard; particularly coordinated ones

      I’ve been involved in two disclosures of flaws in open encryption protocols. (Both were TLS issues.) Each one poses an impossible dilemma. You need to simultaneously (a) make sure every vendor has as much advance notice as possible, so they can patch their software. But at the same time (b) you need to avoid telling literally anyone, because nothing on the Internet stays secret. At some point you’ll notify some FOSS project that uses an open development mailing list or ticket server, and the whole problem will leak out into the open.

      Disclosing bugs that affect PGP is particularly fraught. That’s because there’s no such thing as “PGP”. What we have instead is a large and distributed community that revolves around the OpenPGP protocol. The pillar of this community is the GnuPG project, which maintains the core GnuPG tool and libraries that many clients rely on. Then there are a variety of niche GUI-based clients and email plugin projects. Finally, there are commercial vendors like Apple and Microsoft. (Who are mostly involved in the S/MIME side of things, and may reluctantly allow PGP plugins.)

      Then, of course there are thousands of end-users, who will generally fail to update their software unless something really bad and newsworthy happens.

      The obvious solution to the disclosure problem to use a staged disclosure. You notify the big commercial vendors first, since that’s where most of the affected users are. Then you work your way down the “long tail” of open source projects, knowing that inevitably the embargo could break and everyone will have to patch in a hurry. And you keep in mind that no matter what happens, everyone will blame you for screwing up the disclosure.

      For the PGP issues in Efail, the big client vendors are Mozilla (Thunderbird), Microsoft (Outlook) and maybe Apple (Mail). The very next obvious choice would be to patch the GnuPG tool so that it no longer spits out unauthenticated plaintext, which is the root of many of the problems in Efail.

      The Efail team appears to have pursued exactly this approach for the client-side vulnerabilities. Sadly, the GnuPG team made the decision that it’s not their job to pre-emptively address problems that they view as ‘clients misusing the GnuPG API’ (my paraphrase), even when that misuse appears to be rampant across many of the clients that use their tool. And so the most obvious fix for one part of the problem was not available.

      This is probably the most unfortunate part of the Efail story, because in this case GnuPG is very much at fault. Their API does something that directly violates cryptographic best practices — namely, releasing unauthenticated plaintext prior to producing an error message. And while this could be understood as a reasonable API design at design time, continuing to support this API even as clients routinely misuse it has now led to flaws across the ecosystem. The refusal of GnuPG to take a leadership role in preemptively safeguarding these vulnerabilities both increases the difficulty of disclosing these flaws, and increases the probability of future issues.

      So what went wrong with the Efail disclosure?

      Despite what you may have heard, given the complexity of this disclosure, very little went wrong. The main issues people have raised seem to have to do with the contents of an EFF post. And with some really bad communications from Robert J. Hansen at the Enigmail (and GnuPG) project.

      The EFF post. The Efail researchers chose to use the Electronic Frontier Foundation as their main source for announcing the existence of the vulnerability to the privacy community. This hardly seems unreasonable, because the EFF is generally considered a trusted broker, and speaks to the right community (at least here in the US).

      The EFF post doesn’t give many details, nor does it give a list of affected (or patched) clients. It does give two pretty mild recommendations:

      1. Temporarily disable or uninstall your existing clients until you’ve checked that they’re patched.
      2. Maybe consider using a more modern cryptosystem like Signal, at least until you know that your PGP client is safe again.

      This naturally led to a huge freakout by many in the PGP community. Some folks, including vendors, have misrepresented the EFF post as essentially pushing people to “permanently” uninstall PGP, which will “put lives at risk” because presumably these users (whose lives are at risk, remember) will immediately fall back to sending incriminating information via plaintext emails — rather than temporarily switching their communications to one of several modern, well-studied secure messengers, or just not emailing for a few hours.

      In case you think I’m exaggerating about this, here’s one reaction from ProtonMail:

      Proton

      The most reasonable criticism I’ve heard of the EFF post is that it doesn’t give many details about which clients are patched, and which are vulnerable. This could presumably give someone the impression that this vulnerability is still present in their email client, and thus would cause them to feel less than secure in using it.

      I have to be honest that to me that sounds like a really good outcome. The problem with Efail is that it doesn’t matter if your client is secure. The Efail vulnerability could affect you if even a single one of your communication partners is using an insecure client.

      So needless to say I’m not very sympathetic to the reaction around the EFF post. If you can’t be sure whether your client is secure, you probably should feel insecure.

      Bad communications from GnuPG and Enigmail. On the date of the disclosure, anyone looking for accurate information about security from two major projects — GnuPG and Enigmail — would not have been able to find it.

      They wouldn’t have found it because developers from both Enigmail and GnuPG were on mailing lists and Twitter claiming that they had never heard of Efail, and hadn’t been notified by the researchers. Needless to say, these allegations took off around the Internet, sometimes in place of real information that could have helped users (like, whether either project had patched.)

      It goes without saying that neither allegation was actually true. In fact, both project members soon checked with their fellow developers (and their memories) and found out that they’d both been given months of notice by the researchers, and that Enigmail had even developed a patch. (However, it turned out that even this patch may not perfectly address the issue, and the community is still working to figure out exactly what still needs to be done.)

      This is an understandable mistake, perhaps. But it sure is a bad one.

      PGP is bad technology and it’s making a bad community

      Now that I’ve made it clear that neither the researchers nor the EFF is out to get the PGP community, let me put on my mask and horns and tell you why someone should be.

      I’ve written extensively about PGP on this blog, but in the past I’ve written mostly from a technical point of view about the problems with PGP. But what’s really problematic about PGP is not just the cryptography; it’s the story it tells about path dependence and how software communities work.

      The fact of the matter is that OpenPGP is not really a cryptography project. That is, it’s not held together by cryptography.  It’s held together by backwards-compatibility and (increasingly) a kind of an obsession with the idea of PGP as an end in and of itself, rather than as a means to actually make end-users more secure.

      Let’s face it, as a protocol, PGP/OpenPGP is just not what we’d develop if we started over today. It was formed over the years out of mostly experimental parts, which were in turn replaced, bandaged and repaired — and then worked into numerous implementations, which all had to be insanely flexible and yet compatible with one another. The result is bad, and most of the software implementing it is worse. It’s the equivalent of a beloved antique sports car, where the electrical system is totally shot, but it still drives. You know, the kind of car where the owner has to install a hand-switch so he can turn the reverse lights on manually whenever he wants to pull out of a parking space.

      If PGP went away, I estimate it would take the security community less than a year to entirely replace (the key bits of) the standard with something much better and modern. It would have modern crypto and authentication, and maybe even extensions for future post-quantum future security. It would be simple. Many bright new people would get involved to help write the inevitable Rust, Go and Javascript clients and libraries.

      Unfortunately for us all, (Open)PGP does exist. And that means that even fancy greenfield email projects feel like they need to support OpenPGP, or at least some subset of it. This in turn perpetuates the PGP myth, and causes other clients to use it. And as a direct result, even if some clients re-implement OpenPGP from scratch, other clients will end up using tools like GnuPG which will support unauthenticated encryption with bad APIs. And the cycle will go round and around, like a spaceship stuck near the event horizon of a black hole.

      And as the standard perpetuates itself, largely for the sake of being a standard, it will fail to attract new security people. It will turn away exactly the type of people who should be working on these tools. Those people will go off and build encryption systems in a totally different area, or they’ll get into cryptocurrency. And — with some exceptions — the people who work in the community will increasingly work in that community because they’re supporting PGP, and not because they’re trying to seek out the best security technologies for their users. And the serious (email) users of PGP will be using it because they like the idea of using PGP better than they like using an actual, secure email standard.

      And as things get worse, and fail to develop, people who work on it will become more dogmatic about its importance, because it’s something threatened and not a real security protocol that anyone’s using. To me that’s where PGP is going today, and that is why the community has such a hard time motivating itself to take these vulnerabilities seriously, and instead reacts defensively.

      Maybe that’s a random, depressing way to end a post. But that’s the story I see in OpenPGP. And it makes me really sad.

      #####EOF##### Developer Resources | Create cool applications that integrate with WordPress.com
      #####EOF##### Forums | WordPress.org

      Welcome to Support

      Our community-based Support Forums are a great place to learn, share, and troubleshoot.

      Get started

      Documentation

      Your first stop where you'll find information on everything from installing to creating plugins.

      Explore documentation

      Get Involved

      The Support Handbook is great for tips, tricks, and advice regarding giving the best support possible.

      Explore the Handbook


      Installing WordPress

      If you encounter any problems while setting up WordPress.

      View forum

      Fixing WordPress

      For any problems encountered after setting up WordPress.

      View forum

      Developing with WordPress

      For those looking to do more advanced things with WordPress.

      View forum

      Networking WordPress

      Questions and discussions about running a network of WordPress sites.

      View forum

      Accessibility

      Assistive technologies such as screen readers, keyboard-only navigation, and voice control.

      View forum

      Localhost Installs

      If WordPress is or will be installed on your computer.

      View forum

      Everything else WordPress

      For relevant questions and problems not covered in the other forums.

      View forum

      Requests and Feedback

      Feature requests; criticism.

      View forum

      Alpha/Beta/RC

      Feedback and bug reports on development versions of WordPress.

      View forum

      Themes and Plugins

      Looking for help with a specific theme or plugin? Head to the theme or plugin's page and find the "View support forum" link to visit the theme or plugin's individual forum.

      #####EOF##### WordPress.com: Erstelle eine kostenlose Website oder einen kostenlosen Blog
      Sieh dir Annettes Geschichte an

      Erstelle eine Website, erstelle eine Bewegung.

      Was immer du erstellen, teilen oder verkaufen möchtest – wir helfen dir dabei.

      Kostenloser Einstieg und Raum für Wachstum.

      Egal, ob du eine Website, einen Online-Shop, ein Portfolio oder einen Blog erstellen möchtest: Unsere Tarife sind ganz auf deine Bedürfnisse zugeschnitten. Alles, was du brauchst, ist eine Idee und eine funktionierende Internetverbindung.

      Blogger

      $3

      pro Monat (jährliche Abrechnung)

      Ideal für Blogger Gib deinem Blog einen individuellen .blog‑Domain‑Namen und entferne sämtliche WordPress.com‑Werbung. Erhalte zusätzlichen Speicherplatz und E‑Mail‑Support.

      Mit Blogger starten

      • Ein Jahr lang eine kostenlose .blog-Domain
      • Jetpack-Funktionen
      • E-Mail-Support
      • Dutzende kostenlose Themes
      • Einfache Designanpassung
      • 6 GB Speicherplatz
      • WordPress.com-Werbeanzeigen entfernen

      Mit Blogger starten

      Persönlich

      $5

      pro Monat (jährliche Abrechnung)

      Ideal für die persönliche Nutzung Optimiere deine Website mit einem individuellen Domain‑Namen und entferne alle WordPress.com‑Werbeanzeigen. Profitiere von erstklassigem E‑Mail- und Live‑Chat‑Support.

      Mit Persönlich starten

      • Kostenlose Domain für 1 Jahr
      • Jetpack-Funktionen
      • E-Mail- und Live-Chat-Support
      • Dutzende kostenlose Themes
      • Einfache Designanpassung
      • 6 GB Speicherplatz
      • WordPress.com-Werbeanzeigen entfernen

      Mit Persönlich starten

      Premium

      $8

      pro Monat (jährliche Abrechnung)

      Best for Freelancers Erstelle eine einzigartige Website mit professionellen Designwerkzeugen, CSS‑Bearbeitung, viel Platz für Audio- und Videoinhalte sowie der Möglichkeit, mit Werbung auf deiner Website Geld zu verdienen.

      Mit Premium starten

      • Kostenlose Domain für 1 Jahr
      • Jetpack-Funktionen
      • E-Mail- und Live-Chat-Support
      • Unbegrenzte Premium-Themes
      • Erweiterte Designanpassung
      • 13 GB Speicherplatz
      • WordPress.com-Werbeanzeigen entfernen
      • Erweiterte Social-Media-Funktionen
      • Einfaches Bezahlen
      • Monetarisierung der Website
      • VideoPress-Unterstützung

      Mit Premium starten

      Business

      $25

      pro Monat (jährliche Abrechnung)

      Ideal für Kleinunternehmen Optimiere deine Business‑Website und mache sie noch leistungsstärker dank unbegrenzten Premium- und Business‑Theme‑Vorlagen, Google Analytics‑Unterstützung, unbegrenztem Speicherplatz und der Möglichkeit, das WordPress.com‑Branding zu entfernen.

      Mit Business starten

      • Kostenlose Domain für 1 Jahr
      • Jetpack-Funktionen
      • E-Mail- und Live-Chat-Support
      • Unbegrenzte Premium-Themes
      • Erweiterte Designanpassung
      • Unbegrenzter Speicherplatz
      • WordPress.com-Werbeanzeigen entfernen
      • Erweiterte Social-Media-Funktionen
      • Einfaches Bezahlen
      • Monetarisierung der Website
      • VideoPress-Unterstützung
      • Personalisierte Hilfe erhalten
      • SEO-Werkzeuge
      • Plugins hochladen
      • Themes installieren
      • Integration von Google Analytics
      • WordPress.com-Branding entfernen

      Mit Business starten

      E-Commerce

      $45

      pro Monat (jährliche Abrechnung)

      Best for Online Stores Verkaufe Produkte oder Dienstleistungen mit dieser leistungsstarken All‑in‑One‑Lösung für Onlineshops. Dieser Tarif beinhaltet Premium‑Erweiterungen und ist erweiterbar, wenn dein Unternehmen weiter wächst.

      Mit E-Commerce starten

      • Kostenlose Domain für 1 Jahr
      • Jetpack-Funktionen
      • E-Mail- und Live-Chat-Support
      • Unbegrenzte Premium-Themes
      • Erweiterte Designanpassung
      • Unbegrenzter Speicherplatz
      • WordPress.com-Werbeanzeigen entfernen
      • Erweiterte Social-Media-Funktionen
      • Einfaches Bezahlen
      • Monetarisierung der Website
      • VideoPress-Unterstützung
      • Personalisierte Hilfe erhalten
      • SEO-Werkzeuge
      • Plugins hochladen
      • Themes installieren
      • Integration von Google Analytics
      • WordPress.com-Branding entfernen
      • Akzeptiere Zahlungen in mehr als 60 Ländern
      • Integrationen für die besten Lieferunternehmen
      • Unbegrenzte Produkte oder Dienste
      • E-Commerce-Marketingtools
      • Anpassbare Premium-Themes für den Einstieg

      Mit E-Commerce starten

      WordPress.com Free

      Eine kostenlose WordPress.com-Website umfasst eine WordPress.com-Subdomain, Community-Support, Dutzende kostenlose Themes, grundlegende Designanpassung und mehr. Mit Free starten ›

      Welche Möglichkeiten hast du auf WordPress.com?

      Mit WordPress.com hast du alle Möglichkeiten, eine Website ganz nach deinen Vorstellungen aufzubauen. WordPress.com ist flexibel, sicher und leistungsstark – also genau so, wie dein Unternehmen auch sein soll.

      Baue eine Fangemeinde auf.
      Präsentiere deine Produkte, nutze erweiterte Statistiken und SEO-Tools und vernetze dich mit deinem Zielpublikum in sozialen Netzwerken, um deine Verkaufschancen zu steigern.
      Eröffne eine Online-Shop.
      Verarbeite Zahlungen, konfiguriere Steuern und Versandkosten, setze einen Marketingplan auf: Du erstellst die Widgets, wir die Website.
      Starte einen Blog.
      Jeder hat eine Meinung. Mit dem weltweit besten Blogging-Tool kannst auch du deinen Standpunkt online vertreten und einer Community mit Millionen von Nutzern beitreten, die nur darauf wartet, was du zu sagen hast.
      Erstelle ein Portfolio.
      Bei Tausenden von Themes ist garantiert auch das richtige für dich dabei. Mit unseren Speicher- und Designoptionen kannst du alles hochladen, was du brauchst, und deine Arbeit in einem ansprechenden Rahmen präsentieren.
      Der Einstieg ist ganz einfach.

      Professionelle Problemlöser.

      Du erhältst rund um die Uhr Unterstützung von echten Menschen.
      Unseren Support-Mitarbeitern.

      Egal, ob es um das Konfigurieren der Einstellungen, die Veröffentlichung von Seiten oder die Wahl des perfekten Designs geht: Unsere Support-Mitarbeiter sind immer für dich da. Sie arbeiten auf der ganzen Welt, sodass du stets Hilfe bekommst, wenn du sie brauchst.

      MEHR ALS 300 Menschen
      SOFORT RUND UM DIE UHR VERFÜGBAR

      Du bist in guter Gesellschaft.

      Menschen aus aller Welt erreichen erstaunliche Dinge auf WordPress.

      Sieh dir Annettes Geschichte an

      Ein innovativer Friseursalon in New York City.

      Es ist ein wunderbares Privileg und eine lebensverändernde Erfahrung. Ich bin WordPress.com dankbar dafür, dass es eine kostengünstige und benutzerfreundliche Plattform bietet, auf der Menschen Projekte starten und sich auf diese Weise Gehör verschaffen können.
      Ann Morgan
      ayearofreadingtheworld.com
      Ich habe mir angesehen, was andere Blogger verwenden, die ich bewundere, und der Mercedes unter den Plattformen ist eindeutig WordPress.com. Die Themes sind atemberaubend – sogar die kostenlosen! –, und die gesamte unterstützende Infrastruktur und sämtliche Informationen sind erstklassig.
      Alexis Kanda-Olmstead
      alexiskanda-olmstead.com

      Du kannst. Du wirst. Wir helfen dir.

      Erfinde das beste Katzenfutter der Welt, rette den Regenwald, starte einen Nähclub. Was auch immer du tun möchtest, du brauchst eine Website. Und hier kommen wir ins Spiel.

      #####EOF##### Enterprise WordPress hosting, support, and consulting – WordPress VIP – Our best-in-class enterprise WordPress hosting platform, expert consulting and support, and diverse partner ecosystem free you to focus on your business objectives.

      We support your applications as if they were our own.

      We review every line of code and closely vet technical integrations. Our clients tell us that the standards we introduce bring confidence and creative freedom to their developers, trust to leadership, and efficiency and order to their pipelines.

      “In the past, if a website wasn’t meeting its goals, the marketing campaign would be over before the team was able to make any improvements. Now, changes like this happen instantly. It’s a new world for us.”

      — Ryan Pugatch, HBG

      “Working with WordPress.com VIP allows our team to focus on building awesome stuff”

      — David Parsons, USA Today
      USA Today logo

      You’re in good company.

      We have the pleasure of working with clients representing the best of the best in media, marketing, and more.

      A complete solution for digital publishing.

      Top-notch enterprise WordPress hosting, support, and guidance. Ready models, processes, and plugins to deliver your business goals. Deep, extensible capabilities. Diverse technology partnerships. Vast developer ecosystem.

      Highly available and robust APIs

      Connect WordPress to all kinds of systems and processes, including mobile apps and decoupled front ends. The possibilities are endless.

      Backwards compatibility and forward flexibility

      Free your pipeline from maintenance updates and releases, and never worry again about what version you’re running.

      The power of open source

      Avoid vendor lock-in, enjoy the transparency of a public roadmap, take advantage of the knowledge base in the enterprise user community, and join a massive ecosystem.

      Total cost of ownership

      Savings from licensing fees, flat-rate traffic pricing, included code review, and our managed hosting and support services all reduce CapEx and OpEx burdens when compared with other solutions.

      A different kind of partnership

      Do business at human scale, with a team of people who won’t disappear after the contract is signed, and who are personally invested in your success. We’re proud to be considered pioneers of an open, globally distributed, agile way of working.

      Freedom to focus

      Whether you're seeking end-to-end guidance or just rock-solid WordPress hosting and support, we've got you covered. Put your resources against their highest value efforts. Leave the upgrades, performance, security, and scale to us.

      Ready to get started?

      Drop us a note.

      No matter where you are in the planning process, we’re happy to help, and we’re actual humans here on the other side of the form. 👋 We’re here to discuss your challenges and plans, evaluate your existing resources or a potential partner, or even make some initial recommendations. And, of course, we’re here to help any time you’re in the market for some robust WordPress awesomeness.

      #####EOF##### WordPress.com: Create a Free Website or Blog
      Watch Annette’s story

      Build a website, build a movement.

      Whatever you want to create, share, or sell, we’ll help you do it right here.

      Free to start, with room to grow.

      Whether it’s a website, online store, portfolio, or blog, our plans scale with your dreams. All you need is an idea and an internet connection.

      Blogger

      $3

      per month, billed yearly

      Best for Bloggers Brand your blog with a custom .blog domain name, and remove all WordPress.com advertising. Receive additional storage space and email support.

      Start with Blogger

      • Free .blog Domain for One Year
      • Jetpack Essential Features
      • Email Support
      • Dozens of Free Themes
      • Basic Design Customization
      • 6GB Storage Space
      • Remove WordPress.com Ads

      Start with Blogger

      Personal

      $5

      per month, billed yearly

      Best for Personal Use Boost your website with a custom domain name, and remove all WordPress.com advertising. Get access to high‑quality email and live chat support.

      Start with Personal

      • Free Domain for One Year
      • Jetpack Essential Features
      • Email & Live Chat Support
      • Dozens of Free Themes
      • Basic Design Customization
      • 6GB Storage Space
      • Remove WordPress.com Ads

      Start with Personal

      Premium

      $8

      per month, billed yearly

      Best for Freelancers Build a unique website with advanced design tools, CSS editing, lots of space for audio and video, and the ability to monetize your site with ads.

      Start with Premium

      • Free Domain for One Year
      • Jetpack Essential Features
      • Email & Live Chat Support
      • Unlimited Premium Themes
      • Advanced Design Customization
      • 13GB Storage Space
      • Remove WordPress.com Ads
      • Advanced Social Media
      • Simple Payments
      • Site Monetization
      • VideoPress Support

      Start with Premium

      Business

      $25

      per month, billed yearly

      Best for Small Businesses Power your business website with unlimited premium and business theme templates, Google Analytics support, unlimited storage, and the ability to remove WordPress.com branding.

      Start with Business

      • Free Domain for One Year
      • Jetpack Essential Features
      • Email & Live Chat Support
      • Unlimited Premium Themes
      • Advanced Design Customization
      • Unlimited Storage Space
      • Remove WordPress.com Ads
      • Advanced Social Media
      • Simple Payments
      • Site Monetization
      • VideoPress Support
      • Get Personalized Help
      • SEO Tools
      • Upload Plugins
      • Install Themes
      • Google Analytics Integration
      • Remove WordPress.com Branding

      Start with Business

      eCommerce

      $45

      per month, billed yearly

      Best for Online Stores Sell products or services with this powerful, all‑in‑one online store experience. This plan includes premium integrations and is extendable, so it’ll grow with you as your business grows.

      Start with eCommerce

      • Free Domain for One Year
      • Jetpack Essential Features
      • Email & Live Chat Support
      • Unlimited Premium Themes
      • Advanced Design Customization
      • Unlimited Storage Space
      • Remove WordPress.com Ads
      • Advanced Social Media
      • Simple Payments
      • Site Monetization
      • VideoPress Support
      • Get Personalized Help
      • SEO Tools
      • Upload Plugins
      • Install Themes
      • Google Analytics Integration
      • Remove WordPress.com Branding
      • Accept Payments in 60+ Countries
      • Integrations with Top Shipping Carriers
      • Unlimited Products or Services
      • eCommerce Marketing Tools
      • Premium Customizable Starter Themes

      Start with eCommerce

      WordPress.com Free

      A free WordPress.com site includes a WordPress.com subdomain, community support, dozens of free themes, basic design customization, and more. Start with Free ›

      What can you do on WordPress.com?

      WordPress.com gives you everything you need to create anything you want. It’s flexible, secure, and powerful, just like you want your business to be.

      Build a fan base.
      Promote your products, use advanced statistics and SEO tools, and connect with built-in audiences on social media to grow your business.
      Open a store.
      Process payments, configure taxes and shipping, build a marketing plan—you make the widgets, we’ll make the website.
      Start a blog.
      Everyone has a point of view. Make your mark online with the world’s greatest blogging tool, and join a community millions strong that’s waiting to hear what you have to say.
      Design a portfolio.
      Thousands of themes means there’s a layout that’s just right for you, while storage and design options ensure you can upload anything you need to and give your work the stage it deserves.
      Getting started is easy.

      Engineering happiness.

      Our 24/7 support is powered by actual people. We call them Happiness Engineers.

      From configuring settings to publishing pages to helping you pick the perfect design, they’re all ears, all smiles, and all human. Happiness Engineers also work all around the world—and around the clock, so there’s always someone there when you need them.

      MORE THAN 300 Humans
      AVAILABLE 24/7 Instantly

      You’re in good company.

      People all over the world are doing all sorts of amazing things on WordPress.

      Watch Annette’s story

      An innovative New York City hair salon.

      I looked into what other bloggers whom I admired were using, and the Cadillac of platforms is WordPress.com, hands down. The themes are breathtaking — even the free ones! — and all of the supporting infrastructure and information is top shelf.
      Alexis Kanda-Olmstead
      alexiskanda-olmstead.com
      WordPress.com works really well with Google for a great SEO ranking. I can also embed YouTube videos, Google Maps, and other content easily and without any coding ability.
      Quintin Lake
      theperimeter.uk

      You can. You will. We’ll help.

      Invent the world’s greatest cat food, save a rainforest, start a needlepoint club. Whatever it is, it’s going to need a website — that’s where we come in.

      #####EOF##### Integrate Your WordPress.com Website with Google Tools

      WordPress.com + Google

      Discover the easiest way to use Google tools and services on your WordPress website. No need to pick and choose. Get the best of the web on WordPress.com.

      Google Analytics

      Inform your business decisions with in-depth data – powered by Google.

      Add Google Analytics to your WordPress.com Business site to track performance. Get timely and detailed statistics about where your visitors are coming from, how they’re interacting with your site, and whether they’re responding to your marketing efforts.

      Get Started

      G Suite by Google Cloud

      Enjoy the most popular Google products right at your fingertips.

      Add a professional Gmail address, Drive, Docs, Calendars, and Hangouts to your WordPress.com account. Our integration with G Suite improves your site’s performance and your workflow – no software required.

       

      Search Console

      Make your site easier to find with Search Console

      With Google Search Console integration, you can see your site like a search engine does. Get detailed reports that show how visitors are searching for you, what they’re clicking on, who is linking to your site, and much more. Optimize your site for more traffic and better discoverability.

      Google Docs

      Embrace collaborative editing for your WordPress website.

      Google Docs for WordPress.com lets you write, edit, and collaborate in Docs, then save it as a blog post on any WordPress.com site. Your images and most formatting will carry over from Docs to WordPress too. No more copy-and-paste headaches.

      Get Started

      Google Photos

      Streamline your workflow with Google Photos for WordPress.

      Upload once, share anywhere. With Google Photos for WordPress, you can manage your media easily and save on web storage. Rather than uploading twice, browse, search, and copy photos from your Google account right into your WordPress.com blog posts and pages.

      Get the best web performance for your business site with the power of Google on WordPress.com.

      Build your site with our Business Plan to add Google tools and services, no installation required.

      #####EOF##### Blog Tool, Publishing Platform, and CMS — WordPress
      Ready to get started?Download WordPress

      Meet WordPress

      WordPress is open source software you can use to create a beautiful website, blog, or app.

      WordCamp EU 2019 in Berlin, Germany

      Beautiful designs, powerful features, and the freedom to build anything you want. WordPress is both free and priceless at the same time.

      Trusted by the Best

      33% of the web uses WordPress, from hobby blogs to the biggest news sites online.

      Powerful Features

      Limitless possibilities. What will you create?

      • Customizable
        Designs
      • SEO
        Friendly
      • Responsive
        Mobile Sites
      • High
        Performance
      • Manage
        on the Go
      • High
        Security
      • Powerful
        Media Management
      • Easy and
        Accessible

      Extend WordPress with over 54,000 plugins to help your website meet your needs. Add an online store, galleries, mailing lists, forums, analytics, and much more.

      Community

      Hundreds of thousands of developers, content creators, and site owners gather at monthly meetups in 436 cities worldwide.

      Find a local WordPress community

      Get Started with WordPress

      Over 60 million people have chosen WordPress to power the place on the web they call “home” — join the family.

      News From Our Blog

      Minimum PHP Version update

      WordPress 5.2 is targeted for release at the end of this month, and with it comes an update to the minimum required version of PHP. WordPress will now require a minimum of PHP 5.6.20. Beginning in WordPress 5.1, users running PHP versions below 5.6 have had a notification in their dashboard that includes information to […]

      It’s Easy As…

      1. Find a Web Host and get great hosting while supporting WordPress at the same time.
      2. Download & Install WordPress with our famous 5-minute installation. Feel like a rock star.
      3. Read the Documentation and become a WordPress expert yourself, impress your friends.
      #####EOF##### WordPress | Meetup Pro - Meetup
      alert--smallalertannounce--smallannouncearchive--smallarchivearrow-left--smallarrow-leftarrow-right--smallarrow-rightaudio--smallaudiobadge--smallbadgeblock--smallblockbolt--smallboltcalendar--smallcalendar-check--smallcalendar-checkcalendar-cross--smallcalendar-crosscalendar-plus--smallcalendar-pluscalendarcamera--smallcameracheck--smallcheck-circle--smallcheck-circlecheckchevron-down--smallchevron-downchevron-left--smallchevron-leftchevron-right--smallchevron-rightchevron-up--smallchevron-upclock--smallclock-arrow--smallclock-arrowclockcog--smallcogconversation--smallconversationcopy--smallcopycreditcard--smallcreditcardcross--smallcross-circle--smallcross-circlecross-circled--smallcross-circledcrossdownload--smalldownloaddrinks--smalldrinksedit--smalleditexport--smallexportexternal-facebookexternal-facebookboxedexternal-flickrexternal-gmailexternal-instagramexternal-linkedinexternal-mediumexternal-messenger-outlined--smallexternal-messenger-outlinedexternal-outlookexternal-tumblrexternal-twitter-outlined--smallexternal-twitter-outlinedexternal-twitterexternal-yahooexternal-youtubefilter--smallfilterfolder--smallfolderglobe--smallglobegrid--smallgridgroups--smallgroupsheart--smallheart-outline--smallheart-outlinehearthide--smallhidehome--smallhomeinfo--smallinfoinvite--smallinvite-filled--smallinvite-filledinvitelaunch-new-window--smalllaunch-new-windowlink--smalllinklist--smalllistlocation-pin--smalllocation-pin-filled--smalllocation-pin-filledlocation-pin-slashed--smalllocation-pin-slashedlocation-pinlocation-services--smalllocation-serviceslock--smalllockmail--smallmailmeetup-m--smallmeetup-mmessages--smallmessagesmicrophone--smallmicrophoneminus--smallminusnotifications--smallnotifications-badged--smallnotifications-badgednotifications-mute--smallnotifications-mutenotificationsoverflow--smalloverflow-vertical--smalloverflow-verticaloverflowphoto-album--smallphoto-album-add--smallphoto-album-addphoto-albumplay--smallplayplus--smallplus-circle--smallplus-circleplusprofile--smallprofileprofiles--smallprofilesprojector--smallprojectorpulse--smallpulserefresh--smallrefreshreply--smallreplysearch--smallsearchsend--smallsendsent-messages--smallsent-messagesshow--smallshowsort-direction--smallsort-directionstar--smallstar-rounded--smallstar-roundedstartextblock--smalltextblockticket--smalltickettrash--smalltrashtune--smalltunetv--smalltvupdates--smallupdateswifi--smallwifi
      Skip to content

      WordPress

      99 countries • 717 groups • 356434 members

      Groups

      Sorry, no groups were found.
      #####EOF##### Domain Search — WordPress.com

      WordPress.com

      The right domain is all you need

      Just one click and your domain is a website. It's your new blog. Or your company's website. Or a portfolio of your work. Or anything you can imagine. Start a new site in seconds and get the design, features, and support you need to bring your idea to life.

      Own your identity

      Your domain is a personalized address that's easy to remember and easy to share. Activate email forwarding or connect to G Suite to add a custom email address for your business or brand.

      Ready when you are

      Grab your domain now so you don't have to compromise later. Every domain includes a beautiful temporary placeholder page, that you can replace with a full site whenever you're ready.

      Powerful advanced settings

      Our powerful and easy to use tools make domain management effortless. Everything you need in a simple interface.

      Here to help

      Get support from our experts through email or live chat. Whether you're adding a site to your domain or editing your DNS records, we can help. We're excited to help you see your vision come to life.

      Bring your idea to life

      Start the search for your perfect domain.

      Find your new domain
      #####EOF#####